tag:blogger.com,1999:blog-137562802018-12-14T09:07:16.610-08:00Jeremiah GrossmanCEO of Bit Discovery, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, Off-Road Race Car Driver, Founder of WhiteHat Security, and Maui resident.
Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger723125This is an XML content feed. It is intended to be viewed in a newsreader or syndicated to another site, subject to copyright and fair use.tag:blogger.com,1999:blog-13756280.post-22609247408631607572018-08-29T10:03:00.000-07:002018-08-29T10:03:13.960-07:00Evolution of The Press<div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;Helvetica Neue&quot;;"><i>Below is a working theory on the evolution of The Press in the United States as it relates to their relationship with the government and the people. I expect to continue refining the theory as new perspectives and competing ideas are discussed.</i></span></div><div style="font-stretch: normal; line-height: normal;"><br /></div><div style="font-stretch: normal; line-height: normal;"><b><span style="font-family: Helvetica Neue;">Phase 1) </span><span style="font-family: &quot;Helvetica Neue&quot;;">TL/DR; The press’s primary value in the system is transmitting a message from the government to the people. The press’s customers are their subscribers who purchase news.&nbsp;</span></b></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Consider the early days of United States of America throughout the late 1700s and 1800s. As elected officials governed and managed the business of a young country, operationally it was crucial they had a way to broadly communicate with their citizens. They needed to let the everyone know that there was a strong hand was on the tiller, that the people are safe, and they can sleep well at night.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Imagine government’s options to communicate across the country. Think about the technology that was available. How ideas and thoughts were recorded and how they were transmitted. There was no radio. There was no television. There certainly wasn’t an Internet. Ink and paper was the state of the art. While the government could physically write down their message, outside of standing at podiums surrounded by small local gatherings of people or leafletting, they did not have a scalable means of transmitting their message to the masses. So, the government and the country needed assistance. This need is where an entity called “The Press” established it’s value in the larger system — transmission of the government’s messages.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">The press had journalists with the necessary tools to record the government’s message down <u>on paper</u>, who would perform some amount of fact checking, and then package the information as a cohesive and largely transcribed story. The press also had access to a new invention called the printing press enabling them to productize the message, such as a newspaper. And most importantly, the press created channels of distribution, such as horses automobiles, and the telephone to deliver the message to a variety of locations where it could be easily purchased. Put simply, the process was the press would be invited in by the government to document their message, print a large number of copies of newspapers, and then make the materials widely available to the people where the had the opportunity to buy it.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">This predominately was the value the press provided to the system — transmission. Of course it was important for the press to be mindful about what they printed, particularly the accuracy and relevancy of the message, otherwise people might stop paying for it in favor of another newspaper. The people depended upon the credibility of the press to tell the story right. Let’s not forget this. This dynamic between the government, the press, and the people carried through until about the 40s and 50s when the radio and television began changing the paradigm.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><b><span style="font-family: Helvetica Neue;">Phase 2) </span><span style="font-family: &quot;Helvetica Neue&quot;;">TL/DR; The press’s value proposition in split between transmitting the government’s message to the people to telling them how to think about the message. The press’s customers are their subscribers and advertisers.</span></b></div><div style="font-stretch: normal; line-height: normal;"><br /></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Over time communications technology advanced and became far more affordable. Radio became common place in society and television sets started appearing in the average U.S. household in the early 1950s. With these modern tools the government could transmit their message directly to the people across the country and cut out the middleman — the press. The government no longer exclusively needed the press to get its message out to the masses.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">And since the government could bring their message directly to the people, and the country was in a more stable position, they didn’t necessarily have to always help people sleep at night. In fact, often the opposite was true. Causing some amount of fear actually helped the government further consolidate their power. As a result, the press needed to find a new way to provide value to the system, beyond just message transmission, in order to maintain their survival.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">During this period the press began shifting their value proposition from solely message transmission to <u>telling people how to think about the government’s message</u>. The press would take the governments message, create a compelling narrative to help people interpret the story, and transmit their product to the masses over the television and radio airwaves. As a product, this method of news packaging and delivery was attractive to people. There had become a significant increase of information to parse from a variety of sources, too much for any one individual to decide what was important to consume. The Ted Koppel’s and Tom Brokaw’s of the television news world became the credible sources of the press and filled a void left by the government to help the country sleep well at night.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">There were a couple of problems the press needed overcome though. For example, it was not possible for the press to make money with electronically broadcast news in the same way they did with print media. It was not mechanically possible to charge viewers or listeners for news transmitted electronically. The press’s solution was sponsored advertising. News content accompanied by commercials. As such, the more people that watched and listened, and the longer they did so, the more valuable their advertising slots became. Another challenge the press needed to overcome with television and radio was that the physical time available to watch or listen to content was more limited. There is far more space to pack in far more content into the pages of a daily newspaper than what’s possible in a couple of hours of daily broadcast news spots.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Collectively, the new adversing-based business model and a limited amount of space for content changed how the press covered the government’s message in two profound ways. First, it shifted the priority for the transmission and accuracy of the message as their main value proposition in favor of whatever kept people watching and listening. And secondly, the press had to be more choosey with what message and narrative filled the available time and what didn’t. Furthermore, the press had to narrowly cater to a particular demographic of person with their content than what was originally necessary with print. In television and radio the more the news captures emotions and attention, the better the press does financially.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Fast forward several decades under these conditions and the people begin to clearly see a lot of bias in the press and an agenda. And while bias and agenda is certainly present, how could there NOT be, but in this context it’s best not to think the press is taking a principled stand. They’re not. Instead think of their bias and agenda as simply the press’s way of focusing their product at a particular customer like any business would. The press is drawing a circle around a suitable demographic for their product and value proposition, which again is to both transmit the government’s message and tell people how to think about in a way that helps to maximize ears and eyeballs. For example, there effectively isn’t a left-wing or right-wind press in a truly principled manner. The exact opposite is true. There are left-wing and right-wing people where the press tailor makes a narrative based on the government’s message that is compelling to them.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><b><span style="font-family: Helvetica Neue;">Phase 3)&nbsp;</span><span style="font-family: &quot;Helvetica Neue&quot;;">TL/DR; The press’s value proposition is telling people how to think about the government’s &nbsp;message. The press’s customers are advertisers.</span></b></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Enter the Internet in the early 1990s where transmission of information had become easy and inexpensive for everyone, and not just within the United States, but the entire modern world. The government no longer needed the press to transmit their message to the people at all. The government could transmit directly to the people or the people could go directly to the government. No middleman required. Without anyone needing the press for message transmission, as a business, print media fell off a cliff in under two decades. <u>For survival sake, the press had to complete the transition away from transmission of the government’s message as a value proposition to nearly exclusively telling people how to think about it.</u> That’s all of value they offer and in doing so message accuracy can be sacrificed whenever necessary. And of course the press’s content is heavily layered with advertisements.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">As is turns out, the best way to attract more viewers for longer is to connect on a deep emotional level. Do whatever you can to rile up your viewers and they’ll continue coming back for more, even share the content forward to others in their social group, where even more ads can be lucratively served. Press outlets such as Fox News, CNN, MSNBC, and more all cross the political spectrum have strongly adopted this approach. The press outlets that didn’t adapt, died. &nbsp;</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">As a product, these sources offer people a compelling and packaged way to validate their worldview — and THAT’s what keep the press ultimately credible and trustworthy in their minds. As evidence notice how the Ted Koppel’s and Tom Brokaw’s of the press have been replaced by Alex Jones, Bill O’Reilly, Keith Olbermann and Don Lemon’s. Is this change of their starting lineup designed to give viewers access to more accurate news or instead get people emotionality invested? Even when the press is demonstrably biased, factually incorrect, call it ‘Fake News’ if you like, it’s extremely difficult for people to suddenly distrust the press they decided to loyally watch for so long and find another compelling source. Perception becomes reality and exists long after the occasional and quietly posted retraction.</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><b>Phase 4) TL/DR; If via the Internet people once again adopt a direct paid-for news model, the press’s primary value become providing people with an individually relevant, timely, and accurate news source of the government’s message.</b></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Going forward into the future, many feel there is a demand for relevant, timely, and accurate news sources. News that’s devoid of the influences of advertisements and paid directly by the people. Several press outlets have set-up paywalls and the business model is showing signs of success. All people have to do is register an account on a website or mobile application and supply a credit card online to become a subscriber. Another business model is micro-payments, where viewers pay for their content a la carte — by the article. A relatively new web browser named <a href="https://brave.com/" target="_blank">Brave</a>, which includes ad blocking, offers native push button micro-payment functionality which supports participating content publishers.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: Helvetica Neue;">Here’s the thing: If any transition back to directly paid-for news truly starts gaining enough traction to threaten to the ad-based model, fierce resistance by the advertising industry is sure to follow. Google and Facebook, which dominate the online advertising industry, who along side many others who make all their billions annually off ‘free’ content, will do everything they can to prevent the transition. Their livelihoods depend on it. Regardless, if it so happens that the paid-for model once again takes hold, many positive externalities may also come with it. Fake news goes away. Click-bait headlines go away. Online spam goes away. Privacy invading ads go away. All of these shady practices found on the Internet depend wholly on advertisements to function. The adoption of <a href="https://www.ublock.org/" target="_blank">ad blockers</a>, which now stands over 20% marketshare, indicates that people are making a choice, even if they aren’t yet paying for their content. Broad access to new technology is once again causing a shift in the press and how the government communicates it’s message.</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: &quot;Helvetica Neue&quot;; font-size: 11px; font-stretch: normal; line-height: normal;"><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com1http://blog.jeremiahgrossman.com/2018/08/evolution-of-press.htmltag:blogger.com,1999:blog-13756280.post-45935830498398638332018-07-17T17:38:00.002-07:002018-07-17T17:39:57.622-07:00The evolutionary waves of the penetration-testing / vulnerability assessment marketOver the last two decades the penetration-testing / vulnerability assessment market went through a series of evolutionary waves that went like this…<br /><br /><span style="color: #38761d;"><i><b>1st Wave</b>: “You think we have vulnerabilities and want to hire an employee to find them? You’re out of your mind!"</i></span><br /><br />The business got over it and InfoSec people were hired for the job.<br /><br /><span style="color: #38761d;"><i><b>2nd Wave</b>: "You want us to contract with someone outside the company, a consultant, to come onsite and test our security? You’re out of your mind!"</i></span><br /><br />The business got over it and consultant pen-testing took over.<br /><br /><span style="color: #38761d;"><i><b>3rd Wave</b>: "You want us to hire a third-party company, a scanning service, to test our security and store the vulnerabilities off-site? You’re out of your mind!’</i></span><br /><br />The business got over it and SaaS-based vulnerability assessments took over.<br /><br /><span style="color: #38761d;"><i><b>4th Wave</b>: "You want us to allow anyone in the world to test our security, tell us about our vulnerabilities, and then reward them with money? You’re out of your mind!"</i></span><br /><br />Businesses are getting over it and the crowd-sourcing model is taking over.<br /><br />The evolution reminds us of how the market for ‘driving’ and ‘drivers’ changed over the last century. People first drove their own cars around, then many hired personal drivers, then came along cars-for-hire services (cabs / limos) with ‘professional’ drivers that you didn’t personally know, and now to Uber/Lyft where you basically jump into some complete stranger’s car. Soon, we’ll jump into self-drivers cars without a second thought.<br /><br />As we see, each new wave doesn't necessarily replace the last -- it's additive. Provided there is an economically superior ROI and value proposition, people also typically get over their fears of the unknown and will adopt something new and better. It just takes time.<br /><br /><br /><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com1http://blog.jeremiahgrossman.com/2018/07/the-evolutionary-waves-of-penetration.htmltag:blogger.com,1999:blog-13756280.post-63774583577951110862018-05-07T11:38:00.000-07:002018-05-07T11:45:36.891-07:00All these vulnerabilities, rarely matter.<div style="font-stretch: normal; line-height: normal;"><span style="-webkit-text-stroke-width: initial; font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are <u>likely</u> to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day. Let’s begin exploring this with some context:</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Within any Application Security vulnerability statistics report published over the last 10 years, they’ll state that the vast majority of websites contain one or more serious issues — typically dozens. To be clear, we’re NOT talking about website infected with malvertizements or network based vulnerabilities that can trivially found via Shodan and the like. Those are separate problems. I’m talking exclusively about Web application vulnerabilities such as SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, and several dozen more classes. The data shows only half of those reported vulnerabilities ever get fixed and doing so take many months. Pair this with <a href="https://news.netcraft.com/archives/2018/04/26/april-2018-web-server-survey.html" target="_blank">Netcraft’s data that states there’s over 1.7B sites on the Web</a>. Simple multiplication tells us that’s A LOT of vulnerabilities in the ecosystem laying exposed.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;">The most interesting and unexplored question to me these days is NOT the sheer size of the vulnerability problem, or why so many issue remain unresolved, but instead figuring out </span><span style="font-kerning: none; text-decoration: underline;"><b>why all those ‘serious’ website vulnerabilities are NOT exploited. </b></span><span style="font-kerning: none;">Don’t get me wrong, a lot of websites certainly do get exploited, perhaps on the order of millions per year, but it’s certainly not in the realm of tens or even hundreds of millions like the data suggests it could be. And the fact is, for some reason, the vast majority of plainly vulnerable websites with these exact issues remain unexploited for years upon years.&nbsp;</span></span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Some possible theories as to why are:</span></div><ol><li><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">These ‘vulnerabilities’ are not really vulnerabilities in the directly exploitable sense.</span></li><li><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">The vulnerabilities are too difficult for the majority of attackers to find and exploit.</span></li><li><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">The vulnerabilities are only exploitable by insiders.</span></li><li><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">There aren’t enough attackers to exploit all or even most of the vulnerabilities.</span></li><li><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">There are more attractive targets or exploit vectors for attackers to focus on.</span></li></ol><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Other plausible theories?</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">As someone who worked in the Application Security vulnerability assessment vendor for 15+ years, here is something to consider that speaks to theory #1 and #2 above.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">During the typical sales process, ‘free’ competitive bakeoffs with multiple vendors is standard practice. <b>9 out of 10 times, the vendor who produces the best results in terms of high-severity vulnerabilities with low false-positives will win the deal. As such, every vendor is heavily incentivized to identify as many vulnerabilities as they can to demonstrate their skill and overall value. </b>Predictively then, every little issue will be reported, from the most basic information disclosure issues to the extremely esoteric and difficult to exploit. No vendor wants to be the one who missed or didn’t report something that another vendor did and risk losing a deal. More is always better. As further evidence, ask any customer about the size and fluff of their assessment reports.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Understanding this, the top vulnerability assessment vendors invest millions upon millions of dollars each year in R&amp;D to improve their scanning technology and assessment methodology to uncover every possible issue. And it makes sense because this is primarily how vendors win deals and grow their business.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Before going further, let’s briefly discuss the reason why we do vulnerability assessments in the first place. <b>When it comes to Dynamic Application Security Testing (DAST), specifically testing in production, the whole point is to find and fix vulnerabilities BEFORE an attacker will find and exploit them. </b>It’s just that simple. And technically, it just takes the exploitation of one vulnerability for the attacker to succeed.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Here’s the thing: <b>if attackers really aren’t finding, exploiting, or even caring about these vulnerabilities as we can infer from the supplied data — the value in discovering them in the first place becomes questionable. </b>The application security industry industry is heavily incentivized to find vulnerabilities that for one reason or another have little chance of actual exploitation. If that’s the case, <b>then all those vulnerabilities that DAST is finding rarely matter much and we’re collectively wasting precious time and resources focusing on them.&nbsp;</b></span></div><div style="font-stretch: normal; line-height: normal; min-height: 13px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"><b></b></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Let’s tackle Static Application Security Testing (SAST) next.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;"><b>The primary purpose of SAST is to find vulnerabilities during the software development process BEFORE they land in production where they’ll eventually be found by DAST and/or exploited by attackers.</b> With this in mind, we must then ask what the overlap is between vulnerabilities found by SAST and DAST. If you ask someone who is an expert in both SAST and DAST, specifically those with experience in this area of vulnerability correlation, they’ll tell you the overlap is around 5-15%. Let’s state that more clearly, <b>somewhere between 5-15% of the vulnerabilities reported by SAST are found by DAST.</b> And let’s remember, from an I-dont-want-to-be-hacked perspective, DAST or attacker-found vulnerabilities are really the only vulnerabilities that matter. Conceptually, SAST helps find them those issues earlier. But, does it really? I challenge anyone, particularly the vendors, to show actual broad field evidence.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Anyway, what then are all those OTHER vulnerabilities that SAST is finding, which DAST / attackers are not?&nbsp; Obviously, it’ll be some combination of theories #1 - #3 above. They’re not really vulnerabilities, they’re too difficult to remotely find/exploit, or attackers don’t care about them. In either case, what’s the real value for the other 85-95% of vulnerabilities reported by SAST? A: Not much. If you want to know why so many reported 'vulnerabilities' aren’t fixed, this is your long-winded answer.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">This is also why cyber-insurance firms feel comfortable writing policies all day long, even if they know full well their clients are technically riddled with vulnerabilities, because statistically they know those issues are unlikely to be exploited or lead to claims. That last part is key — claims. <b>Exploitation of a vulnerability does not automatically result in a ‘breach,’ which does not necessarily equate to a ‘material business loss,’ and loss is the only thing the business or their insurance carrier truly cares about. </b>Many breaches do not result is losses. This is an crucial point that many InfoSec pros are unable to distinguish between — breach and loss. They are NOT the same thing.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 13px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"><b></b></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;">So far we’ve discussed the misalignment of interests between Application Security vulnerability assessment vendors and their customers. The net-result of which is that that we’re wasting huge amounts of time, money, and energy finding and fixing vulnerabilities that rarely matter. If so, the first thing we need to do is come up with a better way to prioritize and justify remediation, or not, of the vulnerabilities we already know exist and should care about. Secondly, we must more efficiently invest our resources in the application security </span><span style="font-kerning: none; text-decoration: underline;">testing</span><span style="font-kerning: none;"> process.&nbsp;</span></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">We’ll begin with the simplest risk formula: probability (of breach) x loss (expected) = risk.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Let’s make up some completely bogus numbers to fill in the variables. In a given website we know there’s a vanilla SQL Injection vulnerability in a non-authenticated portion of the application, which has a 50% likelihood of being exploited over a year period. If exploitation results in a material breach, the expected loss is $1,000,000 for incident handling and clean up. Applying our formula:</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">$1,000,000 (expected loss) x 0.5 (probability of breach) = $500,000 (risk)</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">In which case, in can be argued that if the SQL injection vulnerability in question costs less than $500,000 to fix, then that’s the reasonable choice. And, the sooner the better. If remediation costs more than $500,000, and I can’t imagine why, then leave it as is. <b>The lesson is that the less a vulnerability costs to fix the more sense it makes to do so. </b>Next, let’s change the variables to the other extreme. We’ll cut the expected loss figure in half and reduce the likelihood of breach to 1% over a year.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">$500,000 (expected loss) x 0.01 (probability of breach) = $5,000 (risk)</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Now, if vulnerability remediation of the SQL Injection vulnerability costs less than $5,000, it makes sense to fix it. If more, or far more, then one could argue it makes business sense not to. This is the kind of decision that makes the vast majority of information security professionals extremely uncomfortable and instead why they like to ask the business to, “accept the risk.” This way their hands are clean, don’t have to expose their inability to do risk management, and can safely pull an, “I told you so,” should an incident occur. Stating plainly, <b>if your position is recommending that the business should fix each and every vulnerability immediately regardless of the cost, then you’re really not on the side of the business and you will continue being ignored.</b></span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">What’s needed to enable better decision-making, specifically how to decide what known vulnerabilities to fix or not to fix, is a purpose-built risk matrix specifically for application security. A matrix that takes each vulnerability class, assigns a likelihood of actual exploitation using whatever available data, and containing an expected loss range. Where things will get far more complicated is that the matrix should take into account the authentication status of the vulnerability, any mitigating controls, the industry, resident data volume and type, insider vs external threat actor, a few other things to improve accuracy.&nbsp;</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;">While never perfect, as risk modeling never is, I’m certain we could begin with something incredibly simple that would far outperform our the way we currently do things — HIGH, MEDIUM, LOW (BLEH!). When it comes to vulnerability remediation, how exactly is a business supposed to make good informed decisions about remediation using traffic light signals?&nbsp;</span><span style="-webkit-text-stroke-width: initial;">As we’ve seen, and as all previous data indicates, they don’t. Everyone just guesses and 50% of issues go unfixed.</span></span></div><div style="font-stretch: normal; line-height: normal;"><span style="-webkit-text-stroke-width: initial; font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="-webkit-text-stroke-width: initial; font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><i>InfoSec's version of the traffic light: This light is green, because in most places where we put this light it makes sense to be green, but we're not taking into account anything about the current street’s situation, location or traffic patterns. Should you trust that light has your best interest at heart? &nbsp;No. &nbsp;Should you obey it anyway? &nbsp;Yes. Because once you install something like that you end up having to follow it, no matter how stupid it is.</i></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">Assuming for a moment the aforementioned matrix is created, all of a sudden it fuels the solution to the lack of efficiency in the application security testing process. Since we’ll know exactly what types of vulnerabilities we care about in terms of actual business risk and financial loss, investment can be prioritized to only look for those and ignore all the other worthless junk. Those bulky vulnerability assessment reports would likely dramatically decrease in size and increase in value.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">If we really want to push forward our collective understanding of application security and increase the value of our work, we need to completely change the way we think. We need to connect pools of data. Yes, we need to know what vulnerabilities websites currently have — that matter. We need to know what vulnerabilities various application security testing methodologies actually test for. Then we need to overlap this data set with what vulnerabilities attackers predominately find and exploit. And finally, within that data set, which exploited vulnerabilities lead to the largest dollar losses.</span></div><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-stretch: normal; line-height: normal;"><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif; font-kerning: none;">If we can successfully do that, we’ll increase the remediation rates of the truly important vulnerabilities, decrease breaches AND losses, and more efficiently invest our vulnerability assessment dollars. Or, we can leave the status quo for the next 10 years and have the same conversations in 2028. We have work to do and a choice to make.&nbsp;</span></div><span style="font-family: &quot;helvetica neue&quot; , &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;"></span><br /><div style="font-stretch: normal; line-height: normal; min-height: 12px;"><span style="font-kerning: none;"></span><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com11http://blog.jeremiahgrossman.com/2018/05/all-these-vulnerabilities-rarely-matter.htmltag:blogger.com,1999:blog-13756280.post-71071867486062352022018-03-27T05:00:00.000-07:002018-03-27T14:53:28.032-07:00My next start-up, Bit Discovery<div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;"><b><a href="http://2.bp.blogspot.com/-RaW0jy0CwgA/WrpdOz0qM9I/AAAAAAAACbg/yTZFAF2jKHI_JTi9REpjdpaMWdFISJTiACK4BGAYYCw/s1600/bitdiscovery_logo.png" imageanchor="1"><img border="0" height="72" src="https://2.bp.blogspot.com/-RaW0jy0CwgA/WrpdOz0qM9I/AAAAAAAACbg/yTZFAF2jKHI_JTi9REpjdpaMWdFISJTiACK4BGAYYCw/s320/bitdiscovery_logo.png" width="320" /></a></b></span><br /><span style="font-family: &quot;helvetica neue&quot;;"><b><br /></b></span><span style="font-family: &quot;helvetica neue&quot;;"><b>The biggest and most important unsolved problem in Information Security, arguably all of IT, is asset inventory</b>. Rather, the lack of an up-to-date asset inventory that includes all websites, servers, databases, desktops, laptops, data, and so on. Strange as it sounds, the vast majority of organizations with more than even a handful of websites simply do not know what they are, where they are, what they do, or who is responsible for them. This is also strange because an asset inventory is the first step of every security standard and recommended by every expert.</span></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;"><br /></span></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">After many of years of research, it turns out the reason why is rather simple: There are currently no enterprise-grade products, or at least anything widely adopted, that solves this problem. This is important because obviously it’s impossible to secure what you don’t know you own. And, without an up-to-day asset inventory, the most basic and reasonable security questions simply can’t be answered:</span></div><div class="MsoNormal"></div><ul><li><span style="font-family: &quot;helvetica neue&quot;;">What percentage of our websites have been tested for vulnerabilities?</span></li><li><span style="font-family: &quot;helvetica neue&quot;;">Which of our websites have GDPR, PCI-DSS, or other compliance concerns?</span></li><li><span style="font-family: &quot;helvetica neue&quot;;">Which of our websites are up-to-date on their patches, or not?</span></li><li><span style="font-family: &quot;helvetica neue&quot;;">An organization has been acquired, what IT assets do they have?</span></li></ul><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">As of today, with <a href="https://bitdiscovery.com/" target="_blank"><b>Bit Discovery</b></a>, all of this is about to change. <a href="https://bitdiscovery.com/" target="_blank"><b>BitDiscovery</b></a> is a website asset inventory solution designed to be lightning fast, super simple, and incredibly comprehensive. <o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">While identifying the websites owned by a particular organization may sound simple at first blush, let me tell you, it’s not. In fact, asset inventory is probably the most challenging technical problem I’ve ever worked on in my entire career. As <a href="https://twitter.com/RSnake" target="_blank">Robert ‘RSnake’ Hansen’s</a>, member of <b>Bit Discovery’s</b> <a href="https://bitdiscovery.com/about" target="_blank">founding team</a> <a href="https://www.smartphoneexec.com/outsideintel-acquired-by-bit-discovery/" target="_blank">describes in glorious detail</a>, the variety of challenges are absolutely astounding. Just in terms of cpu, memory, disk, bandwidth, software and scalability in general, we’re talking about a legitimate big data problem.<o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">Then there’s the challenges that websites may exist on different IP-ranges, domains, hosting providers, fall under a variety of marketing brands, managed by various subsidiaries and partners, confused by domain typo-squatters and phishing scams, and may come and go without warning. Historically, finding all of an organizations websites is typically conducted through on-demand scanning seeded by a domain name or IP-address range. For anyone who has ever tried this model, they know it’s tedious, time consuming (hours, days, etc), and false-positive and false-negative prone. It became clear that solving the asset inventory problem required a completely different approach.<o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;"><b>Bit Discovery</b>, thanks to the acquisition and integration of <a href="https://www.outsideintel.com/" target="_blank">OutsideIntel</a>, is unique because we take routine snapshots of the entire Internet, organizing massive amounts of information (WHOIS, passive DNS, netblock info, port scans, web crawling, etc.), extract metadata, and distil it down to simple and elegant asset inventory tracking. As a completely web-based application, this is what gives <b>Bit Discovery</b> its incredible speed and comprehensiveness. Instead of waiting days or weeks for an asset discovery scan to complete, searches take just seconds or less. <o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">After years of hard work and months private beta product testing with dozens of Fortune 500 companies, we’re finally ready to officially announce <b>Bit Discovery</b> and just weeks away from our first full production release. I’m particularly proud and personally honored to be joined by an absolutely world-class founding team. As an entrepreneur you couldn’t ask for a better, more experienced, or inspiring group of people. All of us have worked together for many years on a variety of projects, and we’re ready for our next adventure! Our vision is that every organization in the world needs an asset inventory, which includes what we like to say, “Every. Little. Bit.”<o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b style="mso-bidi-font-weight: normal;"><span style="font-family: &quot;helvetica neue&quot;;">Founding Team (5):<o:p></o:p></span></b></div><div class="MsoNormal"></div><ul><li><span style="font-family: &quot;helvetica neue&quot;;"><a href="https://www.linkedin.com/in/grossmanjeremiah/" target="_blank">Jeremiah Grossman</a>(CEO)</span></li><li><span style="font-family: &quot;helvetica neue&quot;;"><a href="https://www.linkedin.com/in/roberthansen3/" target="_blank">Robert ‘RSnake’Hansen</a> (Chief Technology Office)</span></li><li><span style="font-family: &quot;helvetica neue&quot;;"><a href="https://www.linkedin.com/in/llanagrossman/" target="_blank">Llana Grossman</a>(Product Management)</span></li><li><span style="font-family: &quot;helvetica neue&quot;;"><a href="https://www.linkedin.com/in/lexarquette/" target="_blank">Lex Arquette</a>(Head of Engineering)</span></li><li><span style="font-family: &quot;helvetica neue&quot;;"><a href="https://www.linkedin.com/in/heather-konold-b388a020/" target="_blank">Heather Konold</a>(Chief of Staff)</span><span style="font-family: &quot;helvetica neue&quot;;">&nbsp;</span></li></ul><br /><div class="MsoNormal"><b style="mso-bidi-font-weight: normal;"><span style="font-family: &quot;helvetica neue&quot;;">Investment (</span></b><span style="font-family: &quot;helvetica neue&quot;;">$2,700,000, led by <a href="http://www.alignedvc.com/" target="_blank"><span style="mso-bidi-font-weight: bold;">Aligned</span>&nbsp;Partners</a>)<b style="mso-bidi-font-weight: normal;">: <o:p></o:p></b></span></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">As you can see, our goals at <b>Bit Discovery</b> are extremely ambitious and we need strong financial backing fully realize them. As part of the company launch, we’re also thrilled to announce a $2,700,000 early stage round led by Susan Mason (Managing Partner, <a href="http://www.alignedvc.com/" target="_blank">Aligned</a><a href="http://www.alignedvc.com/" target="_blank">&nbsp;Partners</a>). <o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: &quot;helvetica neue&quot;;">During our fund raising process, we interviewed well over a dozen exceptional venture capitalist firms, and we were very picky in the process. <span style="mso-bidi-font-weight: bold;">Aligned</span>’s experience, style, and investment approach matched with us perfectly. Their team specializes in experienced founding teams who have been-there-and-done-that, who operate companies in a capital efficient manner, who know their market and customers well, and where the founders and investors interests are in alignment. That’s us and we couldn’t be happier with the partnership.<o:p></o:p></span></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><br /></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><span style="font-family: &quot;helvetica neue&quot;;">And, as Steve Jobs would say, “one more thing.” Every company can benefit from the assistance and personal backing by other highly experienced industry professionals. The funding round includes individual investments by <a href="https://twitter.com/alexstamos" target="_blank">Alex Stamos</a> (Chief of Information Security, Facebook), <a href="https://twitter.com/thedarktangent" target="_blank">Jeff Moss</a> (Founder, Black Hat and Defcon), <a href="https://twitter.com/manicode" target="_blank">JimManico</a> (Founder, Manicode Security), and <a href="https://www.linkedin.com/in/brianmulveyio/" target="_blank">Brian Mulvey</a> (Managing Partner, PeakSpan Capital).<o:p></o:p></span></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><br /></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><span style="font-family: &quot;helvetica neue&quot;;">Collectively, between <b>Bit Discovery’s</b> founding team and investor group, I’ve never seen or heard of a more experienced and accomplished team that brings everything together for a company launch. We have everything we need for a runaway success story. We have the right team, the right product, the right financial partners, and we’re at the right time in the market. All we have to do is put in the work, serve our customers well, and the rest will take care of itself. <o:p></o:p></span></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><br /></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><span style="font-family: &quot;helvetica neue&quot;;">Finally, the <b>Bit Discovery</b> team wants to personally thank all the many people who helped us along the way and behind the scenes. We sincerely appreciate everyone’s help. We couldn’t have gotten this far without you. Look out world, we’re ready to do this!<o:p></o:p></span></div><div class="MsoNormal" style="tab-stops: 260.45pt;"><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com6http://blog.jeremiahgrossman.com/2018/03/my-next-start-up-bit-discovery.htmltag:blogger.com,1999:blog-13756280.post-81934528007126252022018-03-09T09:00:00.000-08:002018-03-09T09:20:20.276-08:00SentinelOne and My New Role <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></div><a href="https://2.bp.blogspot.com/-Iwzw4Sxsnds/WqK9WN773hI/AAAAAAAACbA/LKJAh5xnRfMWrZnK5jdYHKVMPaOacSrKwCLcBGAs/s1600/orig3041707_SentinelOne_Logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: inherit;"><img border="0" data-original-height="239" data-original-width="409" height="116" src="https://2.bp.blogspot.com/-Iwzw4Sxsnds/WqK9WN773hI/AAAAAAAACbA/LKJAh5xnRfMWrZnK5jdYHKVMPaOacSrKwCLcBGAs/s200/orig3041707_SentinelOne_Logo.jpg" width="200" /></span></a><span style="font-family: inherit;"><a href="http://blog.jeremiahgrossman.com/2016/06/im-joining-fight-against-malware-and.html" target="_blank">Two years ago, I joined SentinelOne as Chief of Security Strategy</a> to help in the fight against malware and ransomware. I’d been following the evolution of ransomware for several years prior, and like a few others, saw that all the ingredients were in place for this area of cyber-crime to explode.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">We knew it was likely that a lot of people were going to get hurt, that significant damage could be inflicted, and something needed to be done. The current anti-malware solutions, even the most popular, were ill-equipped to handle the onslaught. Unfortunately, we weren’t wrong, and that was about the time I was first introduced to <a href="https://www.sentinelone.com/" target="_blank">SentinelOne</a>.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">When I met SentinelOne, it was just a tiny Silicon Valley start-up. It was quickly apparent to me that they had the right team, the right technology, and most importantly – the right vision necessary to make a meaningful difference in the world. SentinelOne is something special, a place poised for greatness, and an opportunity where I knew I could make a personal impact. The time was right for me, so I made the leap! Today, only a short while later, SentinelOne is a major player in the endpoint protection with super high aspirations.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">Since joining I have had a front row seat to several global ransomware outbreaks including WannaCry, nPetya, and other lesser-known malware events as the SentinelOne team "laid the hardcore smackdown" on all of them. One particularly memorable event was WannaCry launching at the exact moment I was on stage giving a keynote presentation to raise awareness about ransomware. Quite an experience, but also a proud moment as all of our customers remained completely protected. One can't hope for better than that!</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">On SentinelOne's behalf, I have had the unique opportunity to participate in the global malware dialog, learn a ton more about the information security industry, continue helping protect hundreds of companies, and something I’m personally proud of: launch the first ever product warranty against ransomware ($1,000,000). I contributed to some cutting-edge research alongside some truly brilliant and passionate people. It’s been a tremendous experience, one which I’m truly thankful for.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">I wish I had all the time in the world to pursue all of my many interests, which as an entrepreneur, is one of my greatest challenges. For me, it will soon be time to announce and launch my next adventure -- a new startup! I’ll share more details in a few weeks, but it’s something my co-founders and I have been quietly working on for years.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">The best part is that I don’t have to say goodbye to SentinelOne. I’ll be moving into a company advisory role. This way I still get to remain connected, in-the-know and continue helping SentinelOne achieve its full potential.</span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">For now, a very special thank you to everyone at SentinelOne, especially Tomer Weingarten (Co-Founder, CEO) for leading the charge and allowing me to be a part of the journey.</span><br /><br /><div><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com0http://blog.jeremiahgrossman.com/2018/03/sentinelone-and-my-new-role.htmltag:blogger.com,1999:blog-13756280.post-47548505417143956882017-04-18T14:04:00.001-07:002017-04-18T14:18:39.841-07:00The Ad-Tech Industry Must Finally Admit That Their Product (Ads) is Dangerous<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: inherit; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">How would you react if I told you that computer security experts are six times more likely to run just an ad blocking software on their PCs, over just anti-malware? Would you be surprised? </span></div><span style="font-family: inherit;"><b id="docs-internal-guid-871c2f1e-82d8-5be9-a576-cb63a91507a0" style="font-weight: normal;"><br /></b></span><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><br /><a href="https://3.bp.blogspot.com/-L59Wuptd_6I/WPZ-FT1co7I/AAAAAAAACag/FIdEO6RkBmI2-d2AeRhA9UIC8tQ0sof7wCLcB/s1600/Screen%2BShot%2B2017-04-18%2Bat%2B1.58.21%2BPM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="186" src="https://3.bp.blogspot.com/-L59Wuptd_6I/WPZ-FT1co7I/AAAAAAAACag/FIdEO6RkBmI2-d2AeRhA9UIC8tQ0sof7wCLcB/s320/Screen%2BShot%2B2017-04-18%2Bat%2B1.58.21%2BPM.png" width="320" /></span></a><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">That was the </span><a href="https://twitter.com/jeremiahg/status/774048835689512960" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">result from a Twitter poll</span></a><span style="background-color: transparent; color: black; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> I conducted last year, in which more than 1,000 self-identified computer security experts shared that they are more concerned about ads than malware. While social media polls are admittedly unscientific, I’d argue these numbers are actually pretty close to reality, which means that roughly three-out-of-four computer security experts largely view ad-blocking as a more indispensable part of protection than anti-virus software by far. Let that sink in for a moment.</span></span><a href="https://3.bp.blogspot.com/-0RE6AJpI9yc/WPZ-FQ2kdMI/AAAAAAAACac/NOxBjyDoHiQ6baG_qDMg4e87-JLzq10MQCLcB/s1600/Screen%2BShot%2B2017-04-18%2Bat%2B1.58.30%2BPM.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: inherit;"></span></a><a href="https://3.bp.blogspot.com/-rcOvd7vILZM/WPZ9xY7xQbI/AAAAAAAACaY/96nzskhmo70YCq91CvZYQ5pWtvMhmLkywCLcB/s1600/CgYRDK0W8AA2hxn.jpg-large.jpeg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: inherit;"></span></a></div><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-0RE6AJpI9yc/WPZ-FQ2kdMI/AAAAAAAACac/NOxBjyDoHiQ6baG_qDMg4e87-JLzq10MQCLcB/s1600/Screen%2BShot%2B2017-04-18%2Bat%2B1.58.30%2BPM.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="167" src="https://3.bp.blogspot.com/-0RE6AJpI9yc/WPZ-FQ2kdMI/AAAAAAAACac/NOxBjyDoHiQ6baG_qDMg4e87-JLzq10MQCLcB/s320/Screen%2BShot%2B2017-04-18%2Bat%2B1.58.30%2BPM.png" width="320" /></a></div><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Malvertising, or malicious ads, are hurting people – a lot of people. Anyone who is familiar with the malware problem will tell you that. </span><a href="https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">As just one example of many</span></a><span style="background-color: transparent; color: black; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, last year ads appeared on the New York Times, BBC, AOL, NFL and other popular websites in a malicious campaign attempting to install “ransomware” on visitors’ computers. To put things into context, the chances are better that the average internet user - </span><a href="https://twitter.com/jeremiahg/status/840275529760559104" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">roughly 99 percent of the population - will be hacked via their own browser then they will by a nation-state</span></a><span style="background-color: transparent; color: black; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The reason for this? Online ads.</span></span><br /><span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span><span style="color: black; font-family: inherit; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-rcOvd7vILZM/WPZ9xY7xQbI/AAAAAAAACaY/96nzskhmo70YCq91CvZYQ5pWtvMhmLkywCLcB/s1600/CgYRDK0W8AA2hxn.jpg-large.jpeg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="239" src="https://3.bp.blogspot.com/-rcOvd7vILZM/WPZ9xY7xQbI/AAAAAAAACaY/96nzskhmo70YCq91CvZYQ5pWtvMhmLkywCLcB/s320/CgYRDK0W8AA2hxn.jpg-large.jpeg" width="320" /></a></div><span style="font-family: inherit;"><span style="color: black; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;">I understand the business model… really, I do. Publishers rely on their viewers seeing ads because that’s how they make their money. In return they provide all of us with free content and services. If ads are blocked, publishers make less money, and the free content and services dries up. On the other hand, these same ads are one of the leading threats to personal security and privacy. So, what we have here is an online version of a </span><a href="https://en.wikipedia.org/wiki/Mexican_standoff" style="text-decoration: none;"><span style="color: #1155cc; font-size: 12pt; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Mexican standoff</span></a><span style="color: black; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;">. Neither side is able to proceed without exposing themselves to danger.&nbsp;</span></span></div><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: black; font-family: inherit; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="font-family: inherit;"><span style="color: black; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;">So here we are without many technical options: &nbsp;the only thing internet users can do to protect themselves is to install an ad blocker (</span><a href="https://www.nytimes.com/2017/01/31/technology/ad-blocking-internet.html" style="text-decoration: none;"><span style="color: #1155cc; font-size: 12pt; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">like hundreds of million of users have already done</span></a><span style="color: black; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;">); and the only thing a publisher can do is to use an ad blocker detector on their website(s). </span></span><span style="font-family: inherit; font-size: 12pt; white-space: pre-wrap;">This allows them to decide to block content and/or issue a plea to whitelist their ads. Unfortunately, the technology model for publishers to ‘safely’ include third-party content such as ads into their pages is also lacking. There just isn’t a comprehensive and scalable way to check billions of ads daily to see if they’re safe to distribute – or if the origin of an ad is reputable. </span><span style="font-family: inherit;"><span style="color: black; font-size: 12pt; vertical-align: baseline; white-space: pre-wrap;">Of course, publishers can also supplement or replace advertising revenue streams with a paid-for-content model, hosting </span></span><span style="white-space: pre-wrap;">conferences, asking for donations, and so on.</span></div><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit; font-size: 12pt; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; font-size: 12pt; white-space: pre-wrap;">Let's also be very clear— neither the publisher, advertisers, or the ad-tech industry that binds everything together takes on any liability for malvertising, infecting a user with malware, or the resultant damage. This also means that they have zero incentives to meaningfully address the problem, and never ever seem to want to talk about the security concerns that make ad blocking an essential security practice. They only want to talk about the money their side is losing, or how to make ads more visually tolerable. But even if ads magically become less obnoxious and less costly in terms of bandwidth, we still have the security problem. Until the advertising technology industry admits that their product - the ads themselves - &nbsp;are simply dangerous, there can be no real resolution.</span></div><br /><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com1http://blog.jeremiahgrossman.com/2017/04/the-ad-tech-industry-must-finally-admit.htmltag:blogger.com,1999:blog-13756280.post-5632284088649888932017-02-20T21:52:00.001-08:002017-10-16T12:11:54.817-07:00InfoSec warranties and guarantees <div style="background-color: white; border: 0px; margin-bottom: 12px; padding: 0px;"><span style="font-family: &quot;segoe ui&quot; , &quot;segoe ui emoji&quot; , &quot;segoe ui symbol&quot; , &quot;lato&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , &quot;arial&quot; , sans-serif;"><span style="font-family: inherit; font-size: 14px;">This is a living list of InfoSec companies who offer warranties and guarantees on their various products and services. If you know of others that should be on the list, please comment.&nbsp;</span></span></div><ol><li><span style="font-family: &quot;segoe ui&quot; , &quot;segoe ui emoji&quot; , &quot;segoe ui symbol&quot; , &quot;lato&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , &quot;arial&quot; , sans-serif;"><span style="font-family: inherit; font-size: 14px;"><a href="http://blog.cymmetria.com/new-warranty-program-against-advanced-persistent-threats-apts" target="_blank">Cymmetria</a></span></span></li><li><a href="https://www.knowbe4.com/ransomware-guarantee" style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;" target="_blank"><span style="font-family: inherit;">KnowBe4</span></a></li><li><span style="font-family: inherit;"><a href="https://www.astechconsulting.com/astech-guarantee" target="_blank">AsTech Consulting</a>&nbsp;(<a href="https://www.astechconsulting.com/press-release/astech-expands-paragon-security-program-guarantee-against-data-breach-related-costs-to-5-million?utm_content=57425852" target="_blank">press release</a>),</span>&nbsp;<a href="https://www.astechconsulting.com/astech-managed-qualys-services" target="_blank">Vigilance</a> / Qualys (<a href="https://www.astechconsulting.com/astech-vigilance-guaranteed-managed-qualys-services-terms-conditions" target="_blank">terms</a>)</li><li><a href="http://www.waratek.com/no-false-positive-guarantee/" style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;" target="_blank"><span style="font-family: inherit;">Waratek</span></a></li><li><a href="https://sentinelone.com/wp-content/uploads/2016/07/Brochure-Ransomware-Vertical-Online.pdf" style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;" target="_blank"><span style="font-family: inherit;">SentinelOne</span></a></li><li><a href="https://www.trusona.com/news/2016/5/16/worlds-first-insured-authentication-provides-1m-coverage-per-financial-transaction" style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;" target="_blank"><span style="font-family: inherit;">Trusona</span></a></li><li><a href="https://www.whitehatsec.com/terms-conditions/sentinel-elite-april-28-2015/" style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;" target="_blank"><span style="font-family: inherit;">WhiteHat Security</span></a></li><li><span style="font-family: inherit;"><a href="https://www.symantec.com/content/en/us/about/media/repository/netsure-protection-plan.pdf" style="font-family: Arial, Helvetica, sans-serif;" target="_blank">Symantec</a><span style="font-family: &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">&nbsp;&amp; </span><a href="https://us.norton.com/how-we-protect-you/money-back-guarantee" style="font-family: Arial, Helvetica, sans-serif;" target="_blank">Norton (money-back)</a></span></li><li><a href="https://www.mcafee.com/consumer/en-us/store/m0/catalog/mav_512/mcafee-antivirus-plus.html?pkgid=512" style="font-family: Arial, Helvetica, sans-serif;" target="_blank"><span style="font-family: inherit;">McAfee (money-back)</span></a></li><li><span style="font-family: inherit;"><a href="https://www.trustwave.com/Services/Managed-Security/Zero-Malware-Guarantee/" style="font-family: Arial, Helvetica, sans-serif;" target="_blank">Trustwave</a><span style="font-family: &quot;arial&quot; , &quot;helvetica&quot; , sans-serif;">&nbsp;</span></span></li><li><span style="font-family: inherit;"><a href="http://www.hipaasecurenow.com/" target="_blank">HIPAA Secure New</a></span></li><li><span style="font-family: inherit;"><a href="https://www.forcepoint.com/security-service-level-agreement" target="_blank">Forcepoint</a></span></li><li><a href="https://www.avira.com/en/service-level-agreement" target="_blank">Avira</a></li><li><a href="https://www.proofpoint.com/sites/default/files/30427798_proofpoint_essentials_sla_-_pfpt_august_08152015.pdf" target="_blank">Proofpoint</a></li><li><a href="https://www.digicert.com/docs/agreements/DigiCert_RPA.pdf" target="_blank">DigiCert</a>&nbsp;</li><li><a href="https://blog.comodo.com/pc-security/was-the-company-that-sold-you-your-network-security-system-confident-enough-in-its-product-to-include-a-5000-guarantee/" target="_blank">Comodo</a></li><li><a href="https://www.armor.com/cyber-warranty/" target="_blank">Armor</a></li><li><a href="https://www.verizondigitalmedia.com/platform/edgecast-cdn/cdn-performance/" target="_blank">Verizon (100% uptime SLA)</a>, <a href="https://twitter.com/tzaw/status/918613602872918016" target="_blank">including DDoS</a></li></ol><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com0http://blog.jeremiahgrossman.com/2017/02/infosec-warranties-and-guarantees.htmltag:blogger.com,1999:blog-13756280.post-16732511839004096062017-02-01T15:58:00.001-08:002017-02-01T15:58:27.469-08:00InfoSec Start-up Advising and Product Recommendations<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;">As a long-time InfoSec veteran and entrepreneur, I’m often asked by company founders to join their advisory board and lend a hand. Sometimes the founders need someone with experience they can trust to bounce ideas off of, provide guidance on how to scale their business, point out the many pitfalls to avoid, make key introductions, and so on. I’ve been in this advisor role for many years, as well as mentoring more than fifty young businesses over the last five years alone through a startup incubator. Making this contribution has been highly rewarding, both personally and professionally. It leverages the many successes and mistakes I’ve made in my career to help others. Advising and mentoring is something I plan to continue doing for the foreseeable future. The only downside is that due to time constraints, I have to be extremely selective.&nbsp;</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;">When I come across a hot new start-up, I fully research the company, try out the product, research their target market, meet the management team, speak with a handful of customers, and if I have something useful to offer, only then do I feel comfortable enough to get involved. Oh, another requirement is that none should be competitive with one another. Because I do my homework and have a deep understanding of the information security industry, I’m often asked by colleagues what companies I’d recommend in a particular space or a product to solve a particular enterprise problem. For those interested, below is where I’ve placed my bets and what I’m recommending.</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><i><b>Full Disclosure</b>: I’ve a financial interest in most of these companies below, but not all of them. And if I don't have a stake, it doesn't mean I won't recommend them -- I can be just as impressed otherwise. I’ve also indicated where I serve in an official advisory capacity.</i></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><b><u><span style="font-family: inherit;">Anti-Bot</span></u></b></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><b><span style="font-family: inherit;"><br /></span></b></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><a href="https://www.funcaptcha.com/about/" target="_blank">FunCAPTCHA</a> (Advisory Board)</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;">“FunCaptcha is the fastest and most effective way to protect your website from spam and abuse. We stop billions of spammers every year for clever brands that monetize their registrations and content.”</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><b><u><span style="font-family: inherit;">Anti-Virus / Endpoint Protection (Enterprise)</span></u></b><br /><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><a href="https://sentinelone.com/" target="_blank">SentinelOne</a> (Employed)</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;">"SentinelOne unifies endpoint threat prevention, detection and response in a single platform driven by sophisticated machine learning and intelligent automation. With SentinelOne, organizations can detect malicious behavior across multiple vectors, rapidly eliminate threats with fully-automated, integrated response capabilities, and adapt their defenses against the most advanced cyber attacks."</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><b><u><span style="font-family: inherit;">Bug Bounty / Security Crowd-Sourcing</span></u></b></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><a href="https://bugcrowd.com/" target="_blank">Bugcrowd</a>&nbsp;(Advisory Board)</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="-webkit-text-stroke-width: initial;">"</span><span style="-webkit-text-stroke-width: initial;">The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of tens of thousands security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd’s proprietary vulnerability disclosure platform is deployed by Tesla, Pinterest, Western Union, Fitbit and many others."</span></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><b><span style="font-family: inherit;">Website Vulnerability Assessment&nbsp;</span></b></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><a href="https://www.whitehatsec.com/" target="_blank">WhiteHat Security</a> (Founder)</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;">"WhiteHat Security is the leading provider of website risk management solutions.&nbsp;<span style="-webkit-text-stroke-width: initial;">Sentinel, WhiteHat's flagship product, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership."</span></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><b><u><span style="font-family: inherit;">Security Risk and Vulnerability Intelligence</span></u></b></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><a href="https://www.kennasecurity.com/" target="_blank">Kenna Security</a>&nbsp;(Advisory Board)</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;">"Kenna is a software-as-a-service Risk and Vulnerability Intelligence platform that accurately measures risk and prioritizes remediation efforts before an attacker can exploit an organization’s weaknesses. Kenna automates the correlation of vulnerability data, threat data, and 0-day data, analyzing security vulnerabilities against active Internet breaches so that InfoSec teams can prioritize remediations and report on their overall risk posture."</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><b><u><span style="font-family: inherit;">Security-in-the-SDLC / Security Requirements&nbsp;</span></u></b></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><a href="https://www.securitycompass.com/sdelements/" target="_blank">SD Elements</a>&nbsp;(Advisory Board)</span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="-webkit-text-stroke-width: initial;"><span style="font-family: inherit;">"SD Elements automates software security requirements based on your project’s technology, business and compliance drivers. SD Elements eliminates security vulnerabilities in the most cost effective way, before scanning begins."</span></span></div><span style="font-family: inherit;"><span style="background-color: white; color: #333333; font-variant-ligatures: normal; orphans: 2; white-space: pre-wrap; widows: 2;"><br /></span><span style="background-color: white; color: #333333; font-variant-ligatures: normal; orphans: 2; white-space: pre-wrap; widows: 2;"><br /></span></span><br /><div style="line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><b><u><span style="-webkit-text-stroke-width: initial;">AppSec&nbsp;</span>Vulnerability<span style="-webkit-text-stroke-width: initial;">&nbsp;Remediation</span></u></b></span></div><div style="line-height: normal; min-height: 13px;"><span style="background-color: white; color: #333333; orphans: 2; white-space: pre-wrap; widows: 2;"><span style="font-family: inherit;"><br /></span></span></div><div style="line-height: normal; min-height: 13px;"><span style="background-color: white; color: #333333; orphans: 2; white-space: pre-wrap; widows: 2;"><a href="https://www.astechconsulting.com/" target="_blank"><span style="font-family: inherit;">AsTech Consulting</span></a></span></div><div style="line-height: normal; min-height: 13px;"><span style="background-color: white; color: #333333; font-variant-ligatures: normal; orphans: 2; white-space: pre-wrap; widows: 2;"><span style="font-family: inherit;">"AsTech Consulting is a security consulting company which helps clients understand their risks and what to do about them. As independent security specialists, we employ very experienced security professionals, more than half of which have over 15 years of relevant experience." </span></span></div><div style="line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="background-color: white; color: #333333; orphans: 2; white-space: pre-wrap; widows: 2;"><b><u><span style="font-family: inherit;">Runtime Application Self-Protection (RASP)</span></u></b></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="background-color: white; color: #333333; orphans: 2; white-space: pre-wrap; widows: 2;"><span style="font-family: inherit;"><br /></span></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><a href="https://www.prevoty.com/" target="_blank"><span style="font-family: inherit;">Prevoty</span></a></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="background-color: white; color: #333333; font-variant-ligatures: normal; orphans: 2; white-space: pre-wrap; widows: 2;"><span style="font-family: inherit;">"Prevoty provides a new RASP (runtime application self-protection) capability, enabling applications to protect themselves. Unlike traditional security approaches that try to defend against hackers at the network layer, Prevoty works inside the application itself and the analysis engine is smart enough to actively prevent anything malicious from executing. " </span></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><u><b><span style="font-family: inherit;">Browser Security &amp; Privacy</span></b></u></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><a href="https://www.brave.com/" target="_blank"><span style="font-family: inherit;">Brave</span></a></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="-webkit-text-stroke-width: initial;"><span style="font-family: inherit;">"We have a mission to save the web by increasing browsing speed and safety for users, while growing ad revenue share for content creators."</span></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com1http://blog.jeremiahgrossman.com/2017/02/infosec-start-up-advising-and-product.htmltag:blogger.com,1999:blog-13756280.post-75873676222248531682016-10-20T12:12:00.003-07:002016-10-20T12:14:07.729-07:00What keeps me in the security industry<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;">It’s common for long-time information experts like myself to be asked what keeps us in the security industry. Some say it’s a good stable job that nicely pays the bills. Others find the work interesting and enjoy the constant intellectual challenge. Some the like the people, the community, the culture, and exchange of ideas. Of course for many, it be some combination of all these things. For myself, while each of the above plays a part, I must admit those haven’t been my core reasons to stay on for a long time now.</div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;"><br /></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;">Like I’ve said many times in the past, the Internet is single greatest invention we’re likely to witness in our lifetime. The Internet is a place that now connects over 2 billion people. The Internet is how we communicate and keep up with friends and family. It’s where we shop. It’s how we learn about ourselves and the world. It’s where bank and pay bills. It’s what entertains us and how we get from place to place. It’s how we better ourselves. Entire economies are now dependent on the Internet. If you think about it, we’re often more open and honest about our most intimate secrets with the Google search box than any our closest confidants. There is not a single person among us, or perhaps anyone we know, that won’t be online today. Something this important, this vital to the world and to humanity, must be protected. The Internet.</div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;"><br /></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;">The time each of us has in this life is limited and far too short. Every day is a gift. And in that time few people ever get an opportunity to be a part of something greater than themselves. A chance to make an impact and to do something that truly matters. Internet security matters. So for me, to play even a small part in helping to protect the Internet and the billions of people connected feels like a good way to spend ones life time. That’s why I’m still here.</div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;"><br /></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; line-height: normal;">In the immortal words of Dan Geer, “There is never enough time. Thank you for yours.”</div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com5http://blog.jeremiahgrossman.com/2016/10/what-keeps-me-in-security-industry.htmltag:blogger.com,1999:blog-13756280.post-829090760588894412016-06-06T15:13:00.001-07:002016-06-06T15:36:08.674-07:00I'm joining the fight against malware and ransomware with SentinelOne<span style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial;"><span style="font-family: inherit;"><a href="http://www.reuters.com/article/us-sentinelone-grossman-idUSKCN0YS0WW" target="_blank">Today</a> <a href="http://www.securityweek.com/whitehat-founder-jeremiah-grossman-joins-sentinelone" target="_blank">is a big</a> <a href="http://www.internetnews.com/blog/skerner/famed-whitehat-security-founder-joins-sentinelone.html" target="_blank">day for</a> <a href="http://solutionsreview.com/endpoint-security/sentinelone-hires-whitehat-founder-jeremiah-grossman-as-chief-of-security-strategy/" target="_blank">me</a>. I’m contributing to a company called <a href="https://sentinelone.com/" target="_blank">SentinelOne</a>, but I really don’t think of it as a job. I’ve accepted an opportunity to work side by side with other brilliant and highly motivated people where we’re all helping to solve important and challenging InfoSec problems. In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I’ve said many times, we who work InfoSec are responsible for protecting the greatest invention we’ll see if our lifetime — the Web, the Internet, and the billions of people using it every day. That’s our mission, our calling. As such, I’ve always kept a evolving list of our industries biggest challenges, which I include in most of my slide decks.</span></span><br /><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><ol><li style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="line-height: normal;"></span><span style="font-kerning: none;">Intersection of security guarantees and cyber-insurance</span></span></li><li style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="line-height: normal;"></span><span style="font-kerning: none;">Explosion of Ransomware</span></span></li><li style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="line-height: normal;"></span><span style="font-kerning: none;">Vulnerability remediation</span></span></li><li style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="line-height: normal;"></span><span style="font-kerning: none;">Industry skill shortage</span></span></li><li style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="line-height: normal;"></span><span style="font-kerning: none;">Measuring the impact of SDLC security controls</span></span></li></ol><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal;"><span style="font-kerning: none;"><span style="font-family: inherit;">The only problem on the list I haven’t gotten the chance to work on is ransomware, an incredibly effective and fast-growing form of malware that’s taking over. I’ve long railed hard about the crap antivirus products on the market and the billions of dollars people and companies spend annually to effectively make themselves less secure. Yes, that’s right, I said LESS secure. The <a href="http://www.latimes.com/nation/la-na-0407-cyber-hospital-20160407-story.html" target="_blank">FBI recently published that ransomware</a> victims paid out $209 million in Q1 2016 compared to $24 million for ALL of 2015. Some non-trivial percentage of those ransom dollars will be used for R&amp;D, so the smart money says ransomware will quickly get even more sophisticated and out of hand. And to that point, in recent and well publicized news, ransomware is also responsible for disrupting the care of patients in a few hospitals. This can’t be allowed — lives are at risk!</span></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; line-height: normal;"><span style="font-kerning: none;"><span style="font-family: inherit;"><a href="http://blog.jeremiahgrossman.com/2016/03/my-last-days-at-whitehat-and-setting.html" target="_blank">In my life after WhiteHat</a>, I looked at ton of companies and interesting opportunities where I could lend a helping hand, of which there was no shortage. My inbox was crushed with many worthy projects, but I knew I had to choose wisely. Then out pops a company with some super cool tech and few have heard of them, SentinelOne. SentinelOne is right smack in the middle of the malware/ransomware war, for which Gartner calls next-generation endpoint protection (NG EPP). I met with the founders, the team, all super cool and passionate people. A real gem of a start-up. I felt strongly that I needed to join this fight. Plus, I’ll be working on some exciting stuff behind that scenes that I can’t wait to share with world. Good things take time, so please, standby!</span></span></div><div><span style="font-kerning: none;"><br /></span></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com4http://blog.jeremiahgrossman.com/2016/06/im-joining-fight-against-malware-and.htmltag:blogger.com,1999:blog-13756280.post-10531101333985524642016-05-23T13:59:00.002-07:002016-05-23T14:02:08.044-07:00Life is Better without Username Reuse (email aliases FTW!)<div style="line-height: normal;">Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.<br /><br />With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.<br /><br />There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.<br /><br />My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is jeremiahgrossman.com. So as an example, I create a new email alias that’s just for Facebook, like fb@jeremiahgrossman.com. Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.<br /><br />It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.<br /><br />Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.<br /><br />Good luck!<br /><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com12http://blog.jeremiahgrossman.com/2016/05/life-is-better-without-username-reuse.htmltag:blogger.com,1999:blog-13756280.post-73034890627702306732016-05-18T11:20:00.002-07:002016-05-18T11:22:14.789-07:00Millions experience serious computer security problems and have no one to call for help<div class="Body">A couple times a week, people I may or may not know reach out to me for help because they’re experiencing some kind of computer security catastrophe. Sometimes the situation is serious, other times not. They might be dealing with an online bank account takeover, online scam, data breach, malware infection, identity theft, and the list goes on and on from there. Whatever the circumstance, a great many people often find themselves thrust into the deep end of this technology driven world, without the know-how to solve the problem on their own, and no one to call for help. These experiences are especially painful for the elderly and small-business owners, whose livelihood are disrupted, and the stress takes a toll on them. Personally, I hate it when good people get taken advantage of.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">In the most recent case, I was introduced to the founder of a TV and movie production company through a mutual friend. They explained that someone is messing with their website and actively using their company name to scam their business contacts. They said ‘hacked,’ but that could mean anything these days. The situation was causing them real brand damage, and with over a dozen show titles to their credit, the business impact is severe. Even over the impersonal medium of email, you could sense a deep feeling of helplessness and desperation. As you might expect, I tend to keep myself happily occupied with family, work, and martial arts and don’t have a lot of time to spare for things like this. But, this plea originated from a good friend, the victim didn’t have anyone else to turn to, and helping out felt like the right thing to do.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">After taking a call and exchanging a few emails, I got the real story. Someone, a scammer, registered an incredibly similar domain name to the legitimate one used by the production company. The fake domain name was being used to create a clone of the real website. The scammer then subtly changed the names and photos of the staff and updated the contact information so that any incoming communication would instead go to them. Through email, phone calls, or search results visitors would be contacted by the scammer, who pretended to be with the production company, and would proceed to con their victims out of money. This is a simple, inexpensive, and effective scam that could happen to basically anyone – and it does.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">The near-term plan was to get the scam website taken down. Long-term, try to take ownership over the look-a-like domain name. <o:p></o:p></div><div class="Body"><br /></div><div class="Body">To start, the first thing I needed to know is who owns the offending domain name. A quick WHOIS lookup revealed the registrar is GoDaddy, but the domain owner itself was masked by Domains By Proxy, a popular service for those wishing to preserve their online privacy. I often use this service myself! This means without going through a legal process, obtaining the real domain owner information isn’t going to happen. Still, in the event the production company would like to try and get ownership over the domain using ICANN’s and trademark law, they have the registrar info to further that process. Next, I needed to identify where the website is being hosted. The ‘dig’ command easily gets me the IP address of the cloned website and an ARIN lookup tells me who the IP address belongs to — the name of the hosting provider. For those curious, collectively performing these tasks took me far less time than writing this paragraph.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">Let’s pause our story for a moment to consider the technical knowledge required to get this far, which includes a set of skills many techies take for granted and forget that the vast majority of people simply don’t have. Few people can explain what a domain name is, have any idea what a domain registrar or an IP address is, what’s WHOIS, or even ICANN. They’ve certainly never heard of ARIN, and only a vague familiarity with hosting providers for that matter. And thus far, we’ve only collected purely public<span lang="FR" style="mso-ansi-language: FR;"> information </span>and in doing so reached a point where most can’t get to on their own. Techies should empathize and exercise patience with those not nearly as literate in how the Internet works as we are. Anyway, back to our story.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">Now that we’ve learned who the hosting provider is, I helped the production company founder draft an email to send that concisely explains the problem and what we’d like the action to be. Take down the website! Their website nicely listed the abuse@ email address and I pressed send on the message. I figured it could be a while for them to get back to us, and in the meantime decided to take a close look at the scammer’s website.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">Using every web hackers best friend, view-source, I skimmed the underlying code of the website. Maybe the scammer left clues as to their identity, tools they used to clone the website, or whatever. In less than 60 seconds, I immediately spotted something very interesting. While the HTML of the page is hosted locally, all the CSS, images, and most importantly, the Javascript is being SRC’ed in from the real website! As you’ll see if a moment, this was a major oversight on the scammer’s part. Are you thinking what I’m thinking? We’ll see. :)<o:p></o:p></div><div class="Body"><br /></div><div class="Body" style="margin-left: .25in; mso-list: l0 level1 lfo2; text-indent: -.25in;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Helvetica; mso-fareast-font-family: Helvetica; mso-hansi-font-family: &quot;Arial Unicode MS&quot;;"><span style="mso-list: Ignore;">1)<span style="font: 7.0pt &quot;Times New Roman&quot;;">&nbsp;&nbsp;&nbsp; </span></span></span><!--[endif]-->In the logs of the real website, we should be able to ascertain who and how many people visited the scammers website. Because every time someone visits one of his web pages, their browser automatically pulls in the aforementioned third-party content from something we control. This means the visitors IP address is logged, as is what web page they are currently looking at — called the referer. And yes, this is intentionally misspelled and a throwback to Internet antiquity. <o:p></o:p></div><div class="Body"><br /></div><div class="Body" style="margin-left: .25in; mso-list: l0 level1 lfo2; text-indent: -.25in;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Helvetica; mso-fareast-font-family: Helvetica; mso-hansi-font-family: &quot;Arial Unicode MS&quot;;"><span style="mso-list: Ignore;">2)<span style="font: 7.0pt &quot;Times New Roman&quot;;">&nbsp;&nbsp;&nbsp; </span></span></span><!--[endif]-->If we have the visitors IP address information, it’s quite likely we also have the scammer’s too! Provided they didn’t mask that as well. And if they are, that’s useful bit of information as well. Either way, their IP address is probably the first one we see the in the logs when the referer of the fake website appeared. If we decide to go after the bad guy directly, we at least have something to begin tracking them down with. Subpoenaing the hosting provider or Domains By Proxy is of course another possible course of action, but we’ll see about that path later.<o:p></o:p></div><div class="Body"><br /></div><div class="Body" style="margin-left: .25in; mso-list: l0 level1 lfo2; text-indent: -.25in;"><!--[if !supportLists]--><span style="mso-bidi-font-family: Helvetica; mso-fareast-font-family: Helvetica; mso-hansi-font-family: &quot;Arial Unicode MS&quot;;"><span style="mso-list: Ignore;">3)<span style="font: 7.0pt &quot;Times New Roman&quot;;">&nbsp;&nbsp;&nbsp; </span></span></span><!--[endif]-->This is the big one. Any web hacker would have quickly theorized that we can probably modify the javascript on the real website, which again is called by the fake website, to at least temporarily redirect it’s visitors. And, that’s exactly what we did! A quick 3-line block of code did just the trick!<o:p></o:p></div><div class="Body"><br /></div><blockquote class="tr_bq"><span style="color: #38761d;">if (window.location.host != ‘&lt;<a href="http://real-website.com/"><span class="Hyperlink0">real-website.com</span></a>&gt;') {<br />&nbsp; &nbsp; &nbsp; &nbsp; window.location = ‘&lt;<a href="http://real-website.com/"><span class="Hyperlink0">real-website.com</span></a>&gt;’;<br />}<br /><o:p>&nbsp;</o:p></span></blockquote><div class="Body"><o:p></o:p></div><div class="Body"><o:p></o:p></div><div class="Body"><o:p></o:p></div><div class="Body">At this moment, we got the production company and visitors of the scammer’s website some immediate relief. That is until the bad guy notices what we did and updates their website code, which is trivial to do. Next I ask the domain registrar (GoDaddy) about the process for taking ownership over <span lang="FR" style="mso-ansi-language: FR;">domain</span> names that are designed for abuse. They point us towards an ICANN’s trademark dispute policy and suggested we consult with a lawyer experienced in such legal measures. I then advise the founder to seriously consider going down his route.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">A couple days go by, and while we wait for the hosting provider to respond, we notice the aforementioned redirect stopped working. As expected, the scammer caught on and fixed their code so that all the web page files now point locally. Drat! What we did learn is the scammer is sentient, responsive, and persistent. He didn’t care so much that were we onto his little <span lang="IT" style="mso-ansi-language: IT;">game.</span><span lang="IT"> </span>Interesting. Such brazenness indicated that the scammer is probably outside the US jurisdiction – or optionally just stupid. Then like magic on the same exact day, and the timing could not have been better, the hosting provider informs us that they completed their investigation and disable the scammers website. Success! <o:p></o:p></div><div class="Body"><br /></div><div class="Body">For now, my work is done and the production company founder profusely express their thankfulness. This was a good feeling. However, that doesn’t necessarily mean this is the end of our little story, or that it will be a happy one. After all, this is the security of the web we’re talking about, and plainly said, it’s fundamentally broken. <o:p></o:p></div><div class="Body"><br /></div><div class="Body">You see, the scammer can easily set up shop with a new hosting provider and start the identical scam all over again and there is absolutely nothing anyone can do to prevent that. There is no good way to help visitors tell the difference between the real website from the fake one. And even if we use ICANN’s process to take ownership over the domain name, the scammer could easily just register another suitable look-a-like domain in no time flat and we’re back at it all over again. This problem is never ending and there really is no good way to solve it once and for all. A website owner’s only option is to wait for something bad to happen, give me or someone else with the right skills a call for help, and proceed similarly.<o:p></o:p></div><div class="Body"><br /></div><div class="Body">What I can do is actively monitoring the illegitimate domain name to see when and if it’s IP address changes. If it does, this would indicate that the scammer is moving hosting providers. It took a couple weeks, and that’s exactly what appears to be happening right now. Grr. This is kind of thing happens every day, to who knows how many people, and honestly I’m not sure what the answer is. One thing I do know, the world needs the help of a lot more good computer security people. Join in!<o:p></o:p></div><div class="Body"><br /></div><!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Revision>0</o:Revision> <o:TotalTime>0</o:TotalTime> <o:Pages>1</o:Pages> <o:Words>1415</o:Words> <o:Characters>8069</o:Characters> <o:Company>WhiteHat Security</o:Company> <o:Lines>67</o:Lines> <o:Paragraphs>18</o:Paragraphs> <o:CharactersWithSpaces>9466</o:CharactersWithSpaces> <o:Version>14.0</o:Version> </o:DocumentProperties></xml><![endif]--> <!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>JA</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:EnableOpenTypeKerning/> <w:DontFlipMirrorIndents/> <w:OverrideTableStyleHps/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="--"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument></xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true" DefSemiHidden="true" DefQFormat="false" DefPriority="99" LatentStyleCount="276"> <w:LsdException Locked="false" Priority="0" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false" UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles></xml><![endif]--> <!--[if gte mso 10]><style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; border:none;} </style><![endif]--> <!--StartFragment--> <!--EndFragment--><br /><div class="Body"><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com12http://blog.jeremiahgrossman.com/2016/05/millions-have-computer-security.htmltag:blogger.com,1999:blog-13756280.post-83475145713282240512016-05-17T10:39:00.000-07:002016-05-17T10:41:02.192-07:007 Tips to Get the Absolute Best Price from Security VendorsSecurity budgets are always extremely tight, so it’s smart to get the absolute best price possible from your security vendors. Never ever pay full price, or even take the first quote vendors give you. That price just sets the stage and it’s best to think of it as the ‘dummy price,’ so don’t pay it! I’ve spent nearly two decades sitting at the price negotiation table in the security industry and seen all manner of techniques customers use successfully to win discounts, and more people should use them. Customers, even small ones, can exercise a ton of leverage over their security vendors if they only knew how. And, more often than not, vendors themselves don’t really mind. It signals that a deal is likely to be made and to a vendor, that’s what’s most important.<br /><div><br /></div><div>While it’s common for large companies to have negotiations handled by a separate department, typically called ‘Procurement,’ many leave the responsibility to whomever is actually making the purchase. In either case, security practitioners can personally say, do, and offer things the procurement department can’t to help obtain the best possible price. Remember, security product margins can range anywhere from 40-60% or even higher. I’ve seen discounts well over 50% of the originally quoted price. Some vendors will even take a loss to win your business, depending on the size of your brand and the reference you’ll provide.&nbsp;</div><div><br /></div><blockquote class="tr_bq">Note: I’m not a big fan of this as you risk not being treated well as a customer long-term. The vendor may decide to drop you later because you’re unprofitable. So, allow vendors to make a profit, just not an obscene one.</blockquote><div><br /></div><div>Below you’ll find my ranked list of the most powerful negotiating techniques I’ve come across in the purchasing process, many of which are applicable beyond security purchases…</div><div><br /></div><div><br /></div><div><b>1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Negotiate Price at Quarter End / Year End</b></div><div>More than anything, businesses want financial predictability. They want to be able to plan out, with a high degree of accuracy, precisely how much business is expected to close at least two quarters into the future. Sales forecasting is largely a Sales department function. So when end of the quarter is just a few weeks away, and overall sales volume isn’t where it needs to be, the sales rep (and their bosses) scramble and make concessions to bridge the gap and hit their forecast. The larger the sales forecast gap, and the closer to quarter end, the more desperate they become and more open they’ll be to deep discounts or throwing in additional products / services to sweeten the pot.</div><div><br /></div><div>Smart customers simply ask sales reps when their quarter or fiscal year ends, just after the vendor asks the customer what their budget range is. So, if you like the product, and you’re likely to buy it, let them know you’ll commit to the purchase in the current quarter, before the end, if they give you a good deal. Vendors will routinely knock 10-30% (or more) off the price, just with the ability to accurately forecast a deal closing. If the vendor is unwilling to work with you and the purchase isn’t urgent, let them know you’re more likely to purchase next quarter, which ads uncertainty to their forecast and they’ll have a decision to make. Rinse. Repeat.</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span></div><div><b>2.<span class="Apple-tab-span" style="white-space: pre;"> </span>Multi-Year Deals</b></div><div>As previously mentioned, businesses love predictability. For this reason, subscription-based businesses, like Software-as-a-Service, love predictable renewals rates. Security vendors know that just because you’re a customer this year, it doesn’t automatically mean you’ll be a customer next year — as the market is highly competitive. They know they’ll likely have to negotiate price with existing customers before the contract expires, which comes at a cost of time and sales forecast uncertainly.&nbsp;</div><div><br /></div><div>To reduce this uncertainly, subscription-based businesses will often give attractive discounts to customers willing to sign up for multi-year deals. Two to three year deals are typical, likely fetching a 5-10% discount, possibly more if you’re willing to pay up front, but we’ll explore this more in a moment. It’s also best to refrain from committing to more than three years for security purchases as it’s difficult to know what the business needs will be that far out, or how the product landscape may have changed in that time.&nbsp;</div><div><br /></div><div><b>3.<span class="Apple-tab-span" style="white-space: pre;"> </span>Paying In Advance</b></div><div>For many security services, such as subscription SaaS products, you pay monthly or quarterly after services are rendered. For the security vendor’s finance department, that means they’re out some amount of money to service you before you pay them for those services. If you like a particular security service and plan to continue having it for a least another year, consider paying for a year or more in advance. For the vendor, having getting cash up front is often attractive and it takes payment uncertainty out of the equation, giving their business additional flexibility. Obviously, the bigger the deal, the better in terms of discounting. This method can win another 5-10% or so in discounts on its own.&nbsp;</div><div><br /></div><div><b>4.<span class="Apple-tab-span" style="white-space: pre;"> </span> Customer Reference, Case Study, Gartner Reference</b></div><div>In InfoSec it’s extremely difficult to get customers to speak publicly, or even privately, about their experience with a given security product. When a customer does consent to speak, it’s incredibly powerful, and few things generate more business for security vendors than vocally happy customers. Customers should use this power to their advantage, especially if they really really like a security product and want to see the company do well.</div><div><br /></div><div>To do this, customers can serve as a reference in a few different ways:</div><div><br /></div><div>a.<span class="Apple-tab-span" style="white-space: pre;"> </span>Private Reference – speaks to other customers</div><div>b.<span class="Apple-tab-span" style="white-space: pre;"> </span>Public Reference, Individual – willing to do case studies, press, events, quotes, but as an individual versus the company</div><div>c.<span class="Apple-tab-span" style="white-space: pre;"> </span>Public Reference – Company – the company is endorsing the product and brand, including a logo on the vendors website, slides, etc. &nbsp;</div><div><br /></div><div>All of this is good and even a non-contractual promise to be a reference can lead to great discounts. As a small warning, many organizations have policies regarding speaking on behalf of the company, so make sure to follow those. If you can find out if the security vendor is in the process of working with Gartner on the magic quadrant of their space, customers who are willing to be a positive reference in this time period are like gold. I’ve personally seen seriously deep discounts here, even free!</div><div><br /></div><div><b>5.<span class="Apple-tab-span" style="white-space: pre;"> </span>Ask for More Stuff, Not Always Price Discounts</b></div><div>Let’s say you’re asking for a discount, but for whatever reason the security vendor isn’t agreeable. This could be because they need to keep their average sales price (ASP) above a particular threshold so their business looks good to their board and investors. In these circumstances, you can instead ask for them to throw in things that are more easy for them to give away or commit to.</div><div><br /></div><div>a.<span class="Apple-tab-span" style="white-space: pre;"> </span>Extra subscription time, especially if full deployment will take a while.</div><div>b.<span class="Apple-tab-span" style="white-space: pre;"> </span>Additional services or software licenses&nbsp;</div><div>c.<span class="Apple-tab-span" style="white-space: pre;"> </span>A better customer support package.</div>d.<span class="Apple-tab-span" style="white-space: pre;"> </span>Free training.<br /><div>d.<span class="Apple-tab-span" style="white-space: pre;"> </span>Payment flexility. How and how often payment has to be made.</div><div>e.<span class="Apple-tab-span" style="white-space: pre;"> </span>Product roadmap enhancements that’ll better serve you.</div><div><br /></div><div>In many circumstances, security vendors will find the items on this list easier to give you than discounting the overall deal. You get more, but pay the same.</div><div><br /></div><div><br /></div><div><b>6.<span class="Apple-tab-span" style="white-space: pre;"> </span>Find Out What Others Paid. Competitive Bids.</b></div><div>When entering pricing discussions, it’s always helpful to know what other customers paid as a point of reference. You may or may not be able to get the same deal as they did, but you want something in at least the general vicinity. There are a couple of ways to obtain this information.</div><div><br /></div><div>a.<span class="Apple-tab-span" style="white-space: pre;"> </span>Ask a colleague you personally know, who has already purchased a product you’re considering. What kind of deal did they get?&nbsp;</div><div>b.<span class="Apple-tab-span" style="white-space: pre;"> </span>Ask the vendors for customer references during the evaluation process, which is something all customers should do as a matter of course. Not only ask the reference what they liked and didn’t like about the product, but what they paid.&nbsp;</div><div>c.<span class="Apple-tab-span" style="white-space: pre;"> </span>Ask the vendor for their competitor’s pricing, and how they compare with it. &nbsp;</div><div><br /></div><div>In some cases, pricing information is considered confidential, but it doesn’t hurt to ask. Having this pricing research on hand greatly helps get you the best deal possible.&nbsp;</div><div><br /></div><div>Additionally, you’re probably considering between two or more comparable products to solve a particular security problem. If the products themselves are a toss up, meaning you’d be happy with either option, consider sharing the bids with the competing security vendors. No security vendors want to lose a competitive deal in the last stage simply because the competition slightly edged them on price. You’d be surprised how quickly vendors will knock off 5—10% as a take away from the competition.</div><div><br /></div><div><br /></div><div><b>7.<span class="Apple-tab-span" style="white-space: pre;"> </span>Go Direct</b></div><div>Many customers have a preferred reseller, typically called Value Added Resellers (VARs), through which they make their security purchases. Among other things, VARs make vendor management much easier for customers. They’ll help identify security program gaps, document purchase requirements, product selection, answer questions, and more. For the value they add, VARs usually take a roughly 30% margin on each product sale. Then, of course, they can tack on additional dollars for consulting and implementation if there is a need. &nbsp;The remaining 70% of the sale price goes to the security vendor.</div><div><br /></div><div>Here’s the thing, the business of the VAR is in the first two letters — V.A… &nbsp;VALUE. ADDED. If a VAR is not adding enough value, which is often the case, they’re justifiably not entitled to their 30%. And in these circumstances, the VAR can and should be bypassed to go direct to the security vendor where the customer can get a [30%] discount without costing the vendor anything. And, unless there is a good reason not to, get bids from 3 VARs so they’ll have to fight to get you the best deal – fight to win your business. Often VARs will cut into their own profit margin to land the deal.</div><div><br /></div><div><br /></div><div><br /></div><div>There you have it. Seven ways to help maximize the purchasing power of the security budget. Good luck!</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com15http://blog.jeremiahgrossman.com/2016/05/7-tips-for-getting-absolute-best-price.htmltag:blogger.com,1999:blog-13756280.post-23621798017993755052016-05-12T17:14:00.000-07:002016-05-12T18:51:46.786-07:00From 300 lbs to 200 lbs<div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit;"><span style="font-kerning: none;">Did you know that one point in my life I was just over 300 pounds? Most don’t, but I was. Then after considerable effort, I got to the 250 pounds range and remained for several years. At the time of this writing, I’m about </span><span style="-webkit-font-kerning: none; font-size: 10px; line-height: normal;">210 pounds</span><span style="font-kerning: none;">. My goal is to stabilize at around 200 pounds with a body fat of ~10%. If all goes as planned, maybe in 6 months or so I’ll be about where I want to be. At 6’2”, it’s a pretty solid physique. Upon witnessing my physical transformation, many friends and family ask how I’m doing this. “What’s your secret?” Spoiler: I don’t have one.&nbsp;</span></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;"><br /></span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-SrLqHPVgdQs/VzUXnuyoT4I/AAAAAAAACVM/-uzvwl7Q4gAaqyqiV_2L_IabEwTvAZjigCK4B/s1600/DSC00699.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="240" src="https://2.bp.blogspot.com/-SrLqHPVgdQs/VzUXnuyoT4I/AAAAAAAACVM/-uzvwl7Q4gAaqyqiV_2L_IabEwTvAZjigCK4B/s320/DSC00699.jpg" width="320" /></span></a></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-YygnEFRLiRg/VzUXr_Mo5TI/AAAAAAAACVU/ylpiGD8i7SEk5c7jP2UmYB52pNgkZ6h7ACK4B/s1600/IMG_6680%2B3.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="320" src="https://3.bp.blogspot.com/-YygnEFRLiRg/VzUXr_Mo5TI/AAAAAAAACVU/ylpiGD8i7SEk5c7jP2UmYB52pNgkZ6h7ACK4B/s320/IMG_6680%2B3.JPG" width="240" /></span></a></div><span style="font-family: inherit;"><span style="font-kerning: none;"></span><a href="http://2.bp.blogspot.com/-SrLqHPVgdQs/VzUXnuyoT4I/AAAAAAAACVM/-uzvwl7Q4gAaqyqiV_2L_IabEwTvAZjigCK4B/s1600/DSC00699.jpg" imageanchor="1"></a><a href="http://4.bp.blogspot.com/-duizEonJcAg/VzUXxceH1oI/AAAAAAAACVc/CEI5gToC7JgV_VURZqtY6NL56JZpv-RewCK4B/s1600/IMG_6686.JPG" imageanchor="1"><img border="0" height="320" src="https://4.bp.blogspot.com/-duizEonJcAg/VzUXxceH1oI/AAAAAAAACVc/CEI5gToC7JgV_VURZqtY6NL56JZpv-RewCK4B/s320/IMG_6686.JPG" width="240" /></a></span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span><span style="font-family: inherit; font-kerning: none;">Before going any further, let me clearly state that I’m NOT a personal trainer. I’m NOT a nutritionist. And I’m certainly NOT trying to sell anything. This post simply answers the question people ask by listing out my nutrition and exercise regiment. Additionally, while everything I’ve done has undoubtedly improved my overall health, the goal is primarily focused towards improving my performance in combat sports, such as particularly Brazilian Jiu-Jitsu and Mixed Martial Arts. Competing at a high-level requires that I’m very strong, fast, flexible, with good cardio and balance. A lean and muscle-toned physique is most ideal.</span><br /><span style="font-family: inherit; font-kerning: none;"><br /></span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><a href="http://4.bp.blogspot.com/-oGG7AvjB3p4/VzUYNlpaiRI/AAAAAAAACVo/Irq1AAnFlmo90c4U8_NgeQKVLXEecmLtQCK4B/s1600/12778993_10154596775158492_7161580635583267846_o.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="200" src="https://4.bp.blogspot.com/-oGG7AvjB3p4/VzUYNlpaiRI/AAAAAAAACVo/Irq1AAnFlmo90c4U8_NgeQKVLXEecmLtQCK4B/s200/12778993_10154596775158492_7161580635583267846_o.jpg" width="150" /></span></a><br /><h3><span style="font-family: inherit; font-kerning: none;"><u><b>Nutrition</b></u></span></h3></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit;"><br /></span><span style="font-family: inherit; font-kerning: none;">Food is what fuels my body to perform at my best during each training session. My daily consumption maps as best as I can to the planned physical activity. If I break down and eat something I shouldn’t, it happens, my performance noticeably suffers and I get my butt kicked as a consequence. It sucks. As it turns out, not wanting to get punched in the face, choked, or arm hyper extended is a great motivator!</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">Each week I have 4 very hard training days, 2 lighter training days, and 1 rest day. And that’s how I plan out my meals. For most of the last year, I was predominantly eating lean meats, vegetables, and fruit. The Paleo diet is the closest example. Then for the last ~3 months I shifted to a whole-food Vegan diet with some minor exceptions.&nbsp;</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;"><br /></span><span style="font-family: inherit; font-kerning: none;"><br /></span><span style="font-family: inherit;">Additional nutrition rules I follow:</span></div><ul><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-size: 12px; line-height: normal;"></span><span style="font-kerning: none;">No caffeine</span></span></li><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-kerning: none;">No alcohol</span></span></li><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-size: 12px; line-height: normal;"></span><span style="font-kerning: none;">Liquid is primarily water (occasionally iced tea, tea, or carbonated water with lime)</span></span></li><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-size: 12px; line-height: normal;"></span><span style="font-kerning: none;">No dairy</span></span></li><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-size: 12px; line-height: normal;"></span><span style="font-kerning: none;">Nothing fried</span></span></li><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-size: 12px; line-height: normal;"></span><span style="font-kerning: none;">Very little processed food</span></span></li><li style="font-size: 11px; line-height: normal; margin: 0px;"><span style="font-family: inherit;"><span style="font-size: 12px; line-height: normal;"></span><span style="font-kerning: none;">No vitamins or supplements (I may include them later at some point)</span></span></li></ul><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><br /></span></div><div style="font-size: 11px; line-height: normal;"><h4><span style="font-family: inherit; text-decoration: underline;"><b>Hard Training Day</b></span></h4></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><a href="http://1.bp.blogspot.com/-aBwo5HtepBo/VzUaxhyvtqI/AAAAAAAACXE/YBxMINhrnms-OxLKsfHIWkKizmnpYYHxQCK4B/s1600/IMG_6109.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: inherit;"><img border="0" height="150" src="https://1.bp.blogspot.com/-aBwo5HtepBo/VzUaxhyvtqI/AAAAAAAACXE/YBxMINhrnms-OxLKsfHIWkKizmnpYYHxQCK4B/s200/IMG_6109.jpg" width="200" /></span></a><span style="font-family: inherit; font-kerning: none;">Paleo: To get through my training sessions, 2300 - 2400 calories feels about right. Under 2100 and I would gas out early. Over 2400 and body fat wouldn’t come off. I targeted my protein intake at just under 1g per pound of body weight, which is a good zone according to what many bodybuilders suggest to build muscle. Fat intake at no more than 50g. And of course the rest being the carbs for energy I need for training.</span><br /><span style="font-family: inherit; font-kerning: none;"><br /></span><span style="font-family: inherit;"><span style="font-kerning: none;">R</span>eaching these macros requires several full meals during the day, and timed so my belly isn’t too full during class.&nbsp; And honestly, if you look at the meal plan, its been really hard physically eating so much food. On the upside, while [bad food] cravings are certainly an issue, I was never, ever hungry!</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-NPCB4VSv5lQ/VzUZyYQ78cI/AAAAAAAACWU/rc3pT7qxFeA69jm3UiEgux59q7Ky43anACK4B/s1600/Paleo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="238" src="https://4.bp.blogspot.com/-NPCB4VSv5lQ/VzUZyYQ78cI/AAAAAAAACWU/rc3pT7qxFeA69jm3UiEgux59q7Ky43anACK4B/s320/Paleo.png" width="320" /></span></a></div><span style="font-family: inherit; font-kerning: none;">Vegan: On the outset, I didn’t know how my body would react to being Vegan. I didn’t know what the cravings would be like, if I’d have the necessary energy needed, etc. So, I got rid of the whole calorie and macro counting thing. Instead decided to start by simply eating whatever I wanted, whenever I wanted, as long as it was whole-food and vegan, and then fine tune from there. Note that I routinely replace many of the ingredients on the list with suitable replacements as I want to eat a wide variety of food in order to get all the recommended vitamins and minerals.&nbsp;</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-NJdoBfgIV_I/VzUZ7RkulUI/AAAAAAAACWc/ZTTebxhIUXUgwSpxpdD6c-q1l63SS99cACK4B/s1600/Vegan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="238" src="https://3.bp.blogspot.com/-NJdoBfgIV_I/VzUZ7RkulUI/AAAAAAAACWc/ZTTebxhIUXUgwSpxpdD6c-q1l63SS99cACK4B/s320/Vegan.png" width="320" /></span></a></div><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;"><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">While the calorie counts on my Vegan diet are higher than the Paleo version, the weight / fat has been coming off with similar speed. And honestly, I feel notably better being vegan so far and my physical performance has improved. My mind is a bit clearer, joints move easier, and my recovery is faster. Cool eh!?</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><h4><span style="font-family: inherit; text-decoration: underline;">Light Training</span></h4></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">Paleo: Take my hard training day meal plan, then drop the calories to 1600 - 1700, mostly from the carbs. Eat just enough food to get through my training and no more.</span><br /><span style="font-family: inherit; font-kerning: none;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-461MIaL7_YU/VzUaBy5b7xI/AAAAAAAACWo/fwB5u-AAwnwSvALCZrVbW_SXPLFl0DCogCK4B/s1600/Paleo%2BLite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="236" src="https://2.bp.blogspot.com/-461MIaL7_YU/VzUaBy5b7xI/AAAAAAAACWo/fwB5u-AAwnwSvALCZrVbW_SXPLFl0DCogCK4B/s320/Paleo%2BLite.png" width="320" /></span></a></div><span style="font-family: inherit; font-kerning: none;"><br /></span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">Vegan: Same thing, reduce calories mostly from slow burning carbs (oatmeal, sweat potato, etc) down to roughly 1800 as this feels right.</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span><span style="font-family: inherit;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-HMo1Y70HRo8/VzUaF2YSlJI/AAAAAAAACWw/YtVXiaHvpxwXw9ANm11HUoXHncUOZhj6gCK4B/s1600/Vegan%2BLite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="202" src="https://1.bp.blogspot.com/-HMo1Y70HRo8/VzUaF2YSlJI/AAAAAAAACWw/YtVXiaHvpxwXw9ANm11HUoXHncUOZhj6gCK4B/s320/Vegan%2BLite.png" width="320" /></span></a></div><span style="font-family: inherit;"><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">In both hard and light training days, I generally stop eating for the day around 5pm — particularly anything containing any sugars, like fruit. The strategy here is that by the time my early morning training starts the next day, my cardio workout will largely burn fat as fuel as all the sugar / carbs in my system have already been metabolized. Then afterwards I can eat again — yay! :)</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><a href="http://1.bp.blogspot.com/-sB22rzNcu_M/VzUaODBR80I/AAAAAAAACW4/bLW15ezxV_cygoAzP5V_mOogP5WeLCv0gCK4B/s1600/12742307_10154592707578492_7899782346294545014_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="200" src="https://1.bp.blogspot.com/-sB22rzNcu_M/VzUaODBR80I/AAAAAAAACW4/bLW15ezxV_cygoAzP5V_mOogP5WeLCv0gCK4B/s200/12742307_10154592707578492_7899782346294545014_n.jpg" width="150" /></span></a><span style="font-family: inherit; text-decoration: underline;"></span><br /><span style="font-kerning: none; text-decoration: underline;"><span style="font-family: inherit; text-decoration: underline;"><br /></span></span><span style="font-kerning: none; text-decoration: underline;"><span style="font-family: inherit; text-decoration: underline;"><br /></span></span><br /><h4><span style="font-family: inherit; text-decoration: underline;">Rest Day</span></h4></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">24 hour fast (no food, but water / tea is ok). While this helps stabilize my insulin levels, it’s also about simple math — and besides, I’m not training at all anyway. Consider that 1 pound of fat equals 3,500 calories. So, by foregoing ~1800 calories per week here, I get to lose an extra 1/2 off the top. Each month, that’s roughly 2 pounds of fat. Awesome!</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><br /></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;"><b><br /></b></span><br /><span style="font-family: inherit;"><br /></span><span style="font-family: inherit; font-kerning: none;"><b><br /></b></span><br /><h3><span style="font-family: inherit; font-kerning: none;"><b><u>Training / Exercise</u></b></span></h3></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">As mentioned, my exercise is primarily designed for combat sports. Then I mix in some low intensity cardio and weight training to support those activities. Collectively it’s about 4 hard days of training, 2 lighter days, and 1 rest day. Most weeks I’ll miss a session here and there when life gets in the way, but what you see is the plan I set out to accomplish each and every week and whatever happens, happens. I’ll try to get the time back in some other way before reseting on Monday. On the average, I get done about 75% or more of what’s on the list.&nbsp;</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-J3U_S2a-xKw/VzUZcGT9tuI/AAAAAAAACWM/Cm5y8rSlMlgBFcQNNB8h3Y-msmsblbEoQCK4B/s1600/Screen%2BShot%2B2016-05-11%2Bat%2B5.56.38%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="214" src="https://1.bp.blogspot.com/-J3U_S2a-xKw/VzUZcGT9tuI/AAAAAAAACWM/Cm5y8rSlMlgBFcQNNB8h3Y-msmsblbEoQCK4B/s320/Screen%2BShot%2B2016-05-11%2Bat%2B5.56.38%2BPM.png" width="320" /></span></a></div><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">The intensity of each class can vary greatly depending on what we’re learning, what I’m physically capable of that day, and so on. Either way, I do the best that I can with a mission of improving … in whatever small amount that might be. And those with a sharp eye, who read this far, might notice that I have a salsa dance class listed. It was recommended by my Muay Thai coach as a way of improving my footwork, timing, and coordination. And, it works! Go figure.</span></div><div style="font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-family: inherit;"><span style="font-kerning: none;"></span><br /></span></div><div style="font-size: 11px; line-height: normal;"><span style="font-family: inherit; font-kerning: none;">That’s it. My secret is hard work and dedication, which is basically all anyone needs to accomplish anything in life.</span></div><br /><div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Helvetica; font-size: 11px; line-height: normal; min-height: 13px;"><span style="font-kerning: none;"></span><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com7http://blog.jeremiahgrossman.com/2016/05/from-300-lbs-to-200-lbs.htmltag:blogger.com,1999:blog-13756280.post-63451343426382515572016-03-07T09:06:00.000-08:002016-03-07T09:06:44.835-08:00My last days at WhiteHat and setting sights on the future<div class="p1">I’ve said it many times; the Web is probably the greatest invention we’ll see in our lifetime. The Web touches the lives of everyone we know, every family member, every child, every friend, and everyone we meet. The Web connects over two billion people and fuels entire economies. It’s a place where we learn, communicate, and share our closest kept secrets. Something as important as the Web must be protected and I’ve always felt it was a privilege to do so. For the last 15 years, as founder of WhiteHat Security, I’ve done exactly that every single day. WhiteHat has not just changed my life, it has been my life — wholly inseparable. Bittersweet as it is, the end of March will be my last day.&nbsp;</div><div class="p2"><span class="s1"></span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">Right now, I’d like to take a moment to reflect. While it’s impossible to measure, I sometimes think about how many hacks didn’t happen — how many people and companies were not hacked — as a result of the work we did at WhiteHat. People have often shared how much we’ve helped them and how important our work is. It’s an amazing feeling knowing that what you do matters. Everyone should be so fortunate. In that sense, WhiteHat is not just another company. It’s something more, much more. WhiteHat represents a mission, an ideal, a state of being. I’ve strived to embody these attributes since Day 1. I’ve always worked tirelessly to be the best at what I do and have had a personal passion for innovation.&nbsp;</span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">WhiteHat was the first company to adopt a Software-as-a-Service model in Application Security. Though our statistics report that thousands rely upon, we were the first to bring measurable data to the industry. We pioneered the founding of two industry groups, OWASP and WASC. We led the creation of the first AppSec lexicon, the Threat Classification, and the language everyone uses when speaking AppSec. We’ve released much of the most cutting-edge and foundational security research to date, which has raised awareness globally. And we were the first vendor to offer a security guarantee. I’m sure sure I’m missing several other firsts, but already no other company has such a record of industry contribution and market success.</span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">While I have a lot to be proud of, none of this would have been possible without a great many amazing people and lifelong friends. I’d like to personally thank the hundreds of WhiteHat employees, both past and present, for helping protect the Web and making WhiteHat the success that it is. They are what I’m most proud of and grateful for. Working with you all has been a singular honor. I would also like to send a very special thank you to the over 1,000 customers who believed in me, believed in WhiteHat, and entrusted us to protect them. Your trust and support always meant everything to me. Thank you to our partners all over the world who brought us to their customers and championed our cause. And thank you to the security community, the lifeblood of the entire industry, and who carry us all.</span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">Of course many will be curious about what I’m going to do next. While I’m not yet ready to reveal those details, what I can share is that I remain genuinely excited about the future of the security industry. I’m not going anywhere. Every day I see new and interesting problems that I’d like an opportunity to solve and expand my horizons. More than anything, that’s why I’m leaving WhiteHat, but its spirit will always be with me and continue to influence my life. Any of us has the capacity to change the world, we just have to allow ourselves the chance to do so.</span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">Hack Yourself First.</span></div><br /><div class="p2"><span class="s1"></span><br /></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com48http://blog.jeremiahgrossman.com/2016/03/my-last-days-at-whitehat-and-setting.htmltag:blogger.com,1999:blog-13756280.post-57481161061609357172013-01-18T18:43:00.001-08:002013-01-19T00:48:53.950-08:00Aaron's suicide: System Contributed, Society Perpetuated<span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">If you are unfamiliar with the <a href="http://www.wired.com/threatlevel/2013/01/aaron-swartz/" target="_blank">circumstances surrounding Aaron Swartz's suicide</a>, the rest of what I have to say will not make any sense to you.</span><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">&nbsp;</span><br /><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;"><br /></span><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Aaron Swartz, an inspired and inspiring fellow hacker, left us by his own hand at the age of 26. This story, his story, is nothing less than tragic. The world is lesser without him. For his [alleged] 'computing hacking crimes,’ he faced 35 years in prison, 3 years of supervised release, and fines of up to $1 million. This degree of punishment is </span><a href="http://www.alternet.org/10-awful-crimes-get-you-less-prison-time-what-aaron-swartz-faced-freeing-jstor-articles" style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;" target="_blank">more than</a><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;"> someone would receive if found guilty of providing direct support to terrorists in the acquisition of nuclear weaponry. Think about that. Angry? So am I, but that's not enough.</span><br /><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0px;"><br /></span></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0px;">If you believe the actions of the Massachusetts U.S. Attorney’s office, and that of prosecutors Carmen Ortiz and Stephen Heymann were atrocious, reprehensible, despicable even, and think, as <a href="http://www.latimes.com/news/nation/nationnow/la-na-nn-aaron-swartz-funeral-eulogy-father-20130115,0,648108.story" target="_blank">Aaron's father does</a>, their actions contributed to his sons death, I'm with ya. At least 43,666 share similar outrage with you, well, us. A<a href="https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck" target="_blank">&nbsp;White House petition</a> is calling for Ortiz's removal from office. Burn the witch! But be careful here, if you think this will change a damn thing, that societies usual focus of rage will somehow save a future young life, and lead to some kind of social justice, that’s where we part ways.</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">You see, many will look at the circumstances and correctly conclude, “something is wrong here” and “something needs to change!” Unfortunately, they'll focus their rage on the wrong things, things they are told to get upset about, and mistakenly serve to protect the system that contributed to Aaron's suicide. They'll focus rage on the prosecution's behavior. They’ll focus rage on “appropriate punishment” of the crime. They’ll focus rage on amending or removing a defective CFAA law and supposed intent of that law. They’ll focus rage on obtaining social “justice.” Bzzz, wrong! Fake out!</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">I concede that these are normal, natural, yet systemically trained responses. Rage focused this way guarantees that more similarly minded political appointees get, well, appointed. Rage focused this way guarantees we’ll get no justice.&nbsp;</span><br /><span style="letter-spacing: 0px;"><br /></span><span style="letter-spacing: 0px;">Aaron’s story was never, ever about “the law” or that pesky word, “justice.” Like ~90% of cases, this was NEVER going to get to a trial. You know, the visual you get where you have rights to a judge, jury of your peers, call witnesses, opportunity to confront your accusers, articulate lawyers and everything else you see on Law &amp; Order.&nbsp;</span><span style="font-family: Helvetica;"><span style="letter-spacing: 0px;">Like "justice," getting a trial was never on the negotiating table, where justice is supposedly decided. The prosecution didn’t want it. Aaron and his lawyers didn’t want it. This entire charade was about plea bargaining, a place where you have none of these "</span>constitutional<span style="letter-spacing: 0px;">&nbsp;rights.” This case all was about the manufacturing of yet another felon, about career advancement. Look, <a href="http://www.justice.gov/usao/ma/news/2013/January/StatementreSwartz.html" target="_blank">one of Aaron's prosecutors admitted as much right here</a>:</span></span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="color: #38761d;"><i><span style="letter-spacing: 0.0px;">“I must, however, make clear that this office's </span><span style="letter-spacing: 0.0px; text-decoration: underline;">conduct was appropriate</span><span style="letter-spacing: 0.0px;"> in bringing and handling this case.”</span></i></span></div><div><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;"><span style="color: #38761d;"><i>Carmen Milagros Ortiz,&nbsp;</i></span></span><span style="color: #38761d; font-family: Helvetica;"><span style="font-size: 12px;"><i>United States Attorney for the District of Massachusetts</i></span></span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">Please don’t waste time debating whether or not you feel the prosecution was going too far. That’s the fake out. The same fake out you’ll see in the headlines that protects the system. That answer doesn't matter. Instead, ask yourself WHY the prosecution thought their “conduct was appropriate.” That's the dangerous question few are willing entertain. They do really think that, you know. They’re not lying. Prosecutors are trained to think that way. We train them to think that way. And from the system's perspective, it was! Appropriate.</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">You don’t agree? I don't blame you. If this was anything about justice, please explain to me why on the same website, in the <a href="http://www.justice.gov/usao/about/mission.html" target="_blank">Office of the US Attorneys’ own mission statement</a>, does the word “justice” appear exactly nowhere.</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">A clever, curious, person might ask, "if not justice, what is all of this really about?" Well, if you work for the U.S. Attorney’s office, or work as any trial lawyer for that matter, your career is weighed and measured by your Win - Loss record. And in case you didn’t know, plea deals are a “Win,” for all the attorneys, no matter what side of the divide they are on.&nbsp;Plea deals are faster, cheaper, and again where the defendant has little to no "rights," which is why power loves 'em -- protects them.</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">Secondly, taking on high-profile cases like Aaron’s and “winning” are worth extra points. It gets the attorneys name out there, helps them differentiate from their peers, and advance careers. It’s all about the <strike>money</strike> power baby. Don’t believe me? Ask Gloria Allred. Ask Aaron’s attorney. <a href="http://www.huffingtonpost.com/2013/01/14/aaron-swartz-stephen-heymann_n_2473278.html" target="_blank">Don't bother, Wired already did</a>:</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="color: #38761d; letter-spacing: 0.0px;"><i>“Heymann [prosecutor] was looking for "some juicy looking computer crime cases and Aaron's case, sadly for Aaron, fit the bill," Peters said. Heymann, Peters believes, thought the Swartz case "was going to receive press and he was going to be a tough guy and read his name in the newspaper."”</i></span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /><span style="letter-spacing: 0.0px;"></span></div><div><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Unconvinced? Biased source right?&nbsp;</span><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Check out the press release from U.S. Attorney’s office website about the case. "</span><a href="http://www.justice.gov/usao/ma/news/2011/July/SwartzAaronPR.html" style="font-family: Helvetica; font-size: 12px;" target="_blank">Alleged Hacker Charged With Stealing.&nbsp;Over Four Million Documents From MIT Network</a><span style="font-family: Helvetica;"><span style="font-size: 12px;">."&nbsp;</span></span><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Yes, that's a PRESS RELEASE! PRESS PRESS PRESS. Why does this impress <strike>you</strike> society? And it does, because they wouldn't do it otherwise.&nbsp;</span><span style="font-family: Helvetica;"><span style="font-size: 12px; letter-spacing: 0px;">I'll tell you what lawyers are NOT graded on is their appropriate application of that nebulous word, “justice.” Otherwise we'd see big headlines about&nbsp;</span><span style="font-size: 12px;">expousing</span><span style="font-size: 12px; letter-spacing: 0px;">&nbsp;that. We don't.&nbsp;</span></span><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Still too cynical for you? </span><a href="http://www.wired.com/threatlevel/2013/01/prosecutor-defends-swartz-case/" style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;" target="_blank">Maybe this will help</a><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">, but it won’t make you feel better:</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><i><span style="color: #38761d;"><span style="letter-spacing: 0px;">“Ortiz [prosecutor] said it was a generous deal her office offered, and it took into account that Swartz’s actions were not financially motivated. She said Swartz would have been confined to a “low security setting.”</span><span style="letter-spacing: 0px; letter-spacing: 0px;"></span></span></i></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span><br /></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">Please show me where appropriate application of justice entered into the thought process, especially when there were no plaintiffs left at that point. I'd be willing to bet law school systemically eliminates justice-minded do gooders.&nbsp;</span><span style="letter-spacing: 0px;">Now, have another look at that US Attorneys’ mission statement again. See what does appear?</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><i><span style="letter-spacing: 0px;"><span style="color: #38761d;">“United States Attorneys are appointed by, and serve at the discretion of, the President of the United States”</span></span><span style="letter-spacing: 0.0px;"></span></i></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><span style="letter-spacing: 0.0px;"></span><br /></div><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Ask yourself, are political appointees selected on their careers merits or on the basis of their political clout? Bzzz. Sorry, trick question. The answer is already on <a href="https://en.wikipedia.org/wiki/Carmen_Ortiz" target="_blank">US Attorney Carmen Ortiz’s very own wikipedia entry</a>. Says it right there in the second sentence, immediately after her title.&nbsp;</span><br /><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;"><br /></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-YVp_7N13WZQ/UPn8J53EfiI/AAAAAAAACA4/6Vm0rZJgEpc/s1600/Screen+Shot+2013-01-18+at+5.50.21+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="http://2.bp.blogspot.com/-YVp_7N13WZQ/UPn8J53EfiI/AAAAAAAACA4/6Vm0rZJgEpc/s320/Screen+Shot+2013-01-18+at+5.50.21+PM.png" width="320" /></a></div><span id="goog_1738545517"></span><span id="goog_1738545518"></span><br /><span style="color: #38761d;"><i><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">“In 2009, she was nominated to the position by President&nbsp;</span><span style="font-family: Helvetica;"><span style="font-size: 12px;">Barack Obama. Ortiz is both the first woman and the first Hispanic to serve as U.S. attorney for Massachusetts.”</span></span></i></span><br /><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /><span style="letter-spacing: 0.0px;"></span></div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0.0px;">Unless you count being born a women and hispanic as an accomplishment, the answer is plain as day. Make the boss man look good! I know this comment borders on racist, sexist. Please understand I've no intention of diminishing her personal accomplishments in this regard. I'm sure she had it tough. What we must question, as her <strike>customers</strike> subjects, is how this make her qualified to administer justice. And apparently we think it does, otherwise why would her gender and ethnicity be highlighted first.</span><br /><span style="letter-spacing: 0px;"><br /></span><span style="letter-spacing: 0px;">Oh, and I’m also sure the possibility of </span><a href="http://www.bostonglobe.com/metro/2012/12/07/patrick-reportedly-cites-prosecutor-vying-for-governor/0aEpGj5QqjvJfgSwgFNc7H/story.html" style="letter-spacing: 0px;" target="_blank">Ortiz being a potential Democrat gubernatorial candidate in Massachusetts</a><span style="letter-spacing: 0px;"> had zero effect on things. Right.</span></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /><span style="letter-spacing: 0.0px;"></span></div><div style="min-height: 14px;"><span style="font-family: Helvetica;"><span style="font-size: 12px; letter-spacing: 0px;">Under these circumstances, if you change or repeal the law. So what? It was never about the law, or application of&nbsp;</span><span style="font-size: 12px;">justice,</span><span style="font-size: 12px; letter-spacing: 0px;">&nbsp;remember. Go ahead, call for her dismissal. Change the political appointee in the same power structure. So what? Another similar minded and well-trained appointee will gladly take their spot before the day is out. </span></span><span style="font-family: Helvetica; font-size: 12px; letter-spacing: 0px;">Focus on defining “appropriate behavior” when the incentives are perverted against justice. Good luck with that.</span></div><div style="min-height: 14px;"><br /></div><div><div style="font-family: Helvetica; font-size: 12px;"><span style="letter-spacing: 0px;">Do all these things. Declare your victory! Get your social justice and pound of flesh. What you'll also do is protect</span><span style="letter-spacing: 0px;">&nbsp;the system that&nbsp;</span>manufactures<span style="letter-spacing: 0px;">&nbsp;felons and contributes to suicide of our best and brightest.&nbsp;</span><span style="letter-spacing: 0px;">Do everything, but ask the dangerous question... WHY. WHY does basically everyone take a plea deal. WHY do prosecutors prefer them? You better ask it because it's the only justice system any of us are likely to experience. You do know most everyone is </span><a href="http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229" style="letter-spacing: 0px;" target="_blank">committing three felonies a day right</a><span style="letter-spacing: 0px;">?&nbsp;</span></div><div style="font-family: Helvetica; font-size: 12px;"><br />And so what if Oritz is fired. It's not like she is going to be disbarred. She'll immediately go across the street to a private firm working the other side of the table, probably making far more money too. And if you are in a similar position as Aaron, you'll find her credentials impressive. A "former"&nbsp;U.S. Attorney appointed by the President of the United States, who knows all players and the plea bargain&nbsp;process. Hell yeah. Because when YOU are facing hard time you'll not be the slightest bit interested in justice after all. What you want is to get off, and she's the best person for the job.&nbsp;Did you know Aaron's attorney,&nbsp;<a href="http://www.kvn.com/Lawyers/Peters-Elliot" target="_blank">Elliot R. Peters</a>&nbsp;(Partner at Keker &amp; Van Nest LLP), previously worked in the U.S. Attorney’s Office, Southern District of New York?<br /><span style="letter-spacing: 0px;"></span><br /><span style="letter-spacing: 0px;"><span style="letter-spacing: 0.0px;">Let’s explore one layer deeper into the perversity of the system. Upon Aaron’s death Federal prosecutors were forced to dismiss the charges against him. Not because a lack of evidence mind you, but because there is no defendant obviously. In addition to a PR hit, we must assume a “dismissal” counts against the prosecutions Win-Loss case record. From that perspective, the prosecution did NOT want Aaron to die. They would have much preferred him to live, take a plea, or at least suffer a conviction. On the other hand, Aaron’s attorneys scored a dismissal -- a “Win.”&nbsp;</span></span><br /><span style="letter-spacing: 0px;"><br /></span><span style="letter-spacing: 0px;">Whoa, whoa there. I’m not saying Mr. Peters or Keker &amp; Van Nest LLP wanted Aaron to die. No. What I’m saying is that system is set up such that when something like this happens, something that sparks true outrage, then that rage needs to be directed, and that the <u>defendants attorneys don’t lose</u>. That’s important because otherwise they wouldn’t play along in the farce.&nbsp;</span><br /><span style="letter-spacing: 0px;"><br /></span><span style="letter-spacing: 0px;">But that can’t be, the thought is too terrible to bare. I agree with you. Their defendant committed suicide after all. What do they do then? Aaron's attorneys immediately focus rage on the prosecution for being, what’s the word they used, “intransigent.” Whatever. They, the prosecution, are the real problem here! Right! Wrong! Whatever you supposedly chosen on your own doesn't matter one bit. The point is you picked a side and played along. The point is&nbsp;</span><strike style="letter-spacing: 0px;">you</strike><span style="letter-spacing: 0px;"> society bought it. Burn the witch!</span><br /><span style="letter-spacing: 0px;"><br /></span><span style="letter-spacing: 0px;">All that happened here was Aaron died and the system won.</span><br /><div><br /></div></div></div><div style="font-family: Helvetica; font-size: 12px; min-height: 14px;"><br /></div><div style="color: #021eaa; font-family: Helvetica; font-size: 12px;"></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com15http://blog.jeremiahgrossman.com/2013/01/aarons-suicide-system-contributed.htmltag:blogger.com,1999:blog-13756280.post-16593580661432728872012-04-12T16:47:00.000-07:002012-04-12T16:47:49.760-07:00Written Speech: TEDxMaui -- Hack Yourself First<!--[if !mso]> <style>v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--><!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Revision>0</o:Revision> <o:TotalTime>0</o:TotalTime> <o:Pages>1</o:Pages> <o:Words>2546</o:Words> <o:Characters>14517</o:Characters> <o:Company>WhiteHat Security, Inc.</o:Company> <o:Lines>120</o:Lines> <o:Paragraphs>34</o:Paragraphs> <o:CharactersWithSpaces>17029</o:CharactersWithSpaces> <o:Version>14.0</o:Version> </o:DocumentProperties> </xml><![endif]--> <!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves>false</w:TrackMoves> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-US</w:LidThemeOther> <w:LidThemeAsian>JA</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:EnableOpenTypeKerning/> <w:DontFlipMirrorIndents/> <w:OverrideTableStyleHps/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="&#45;-"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true" DefSemiHidden="true" DefQFormat="false" DefPriority="99" LatentStyleCount="276"> <w:LsdException Locked="false" Priority="0" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="0" Name="annotation text"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="0" Name="annotation reference"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false" UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles> </xml><![endif]--><!--[if !supportAnnotations]--> <script></script> <!--[endif]--> <!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> <!--StartFragment--> <br /><div class="MsoNormal" style="text-align: justify;"><span style="font-family: Arial;"></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Earlier this year I was fortunate enough to give a presentation at <a href="http://tedxmaui.com/" target="_blank">TEDxMaui</a>. Previously I discussed what <a href="http://jeremiahgrossman.blogspot.com/2011/12/terrified.html" target="_blank">getting the opportunity was like</a> and the <a href="http://jeremiahgrossman.blogspot.com/2012/01/tedxmaui-hack-yourself-first.html" target="_blank">overall experience of being on stage</a> -- nothing short of amazing -- life changing. While the <a href="http://www.youtube.com/watch?v=-H2G2tlqSSM" target="_blank">Hack Yourself First video recording</a> was recently posted, no amount of preparation would allow me to really say everything that I wanted to and in the order necessary.&nbsp;</span></span><span style="font-family: Arial; font-size: 20px; line-height: 24px;">Everything I really wanted to say, in the written version...</span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">-----</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal" style="text-align: center;"><span style="font-family: Arial;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/-H2G2tlqSSM?feature=player_embedded' frameborder='0' /></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">And do you know why?</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Because hacking is easy. Because hacking works.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I know this because I am a hacker – no, not THAT kind. My kind is like the Jedi as opposed to the Sith. You know, are the good guys and there is also the dark side. In the world of hacking it’s no different.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">More than being a hacker, I teach other people how to hack. In fact, I teach a lot of people how to hack -- all sorts of ways to hack into banks, retail websites, social networks, government systems, … into computers just like yours and your online accounts. I teach people how this can be done from anywhere across the Internet.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I’ve been invited to teach these skills, publicly, for the past decade -- to businesses, to government agencies, to university students, and industry groups, across six continents. I share stories about precisely how every day people, just like you, and businesses, just like those you own or work for, governments too, have been hacked into, often and with ease.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I bet many of you wondering why this is a good thing, teaching people how to hack. I know hacking is often stereotyped with illegal or nefarious activity. I also know teaching people how to hack, building up our cyber-offense skills, and focusing these skills inward at ourselves, are critical to our national security and helping ensure the economic well-being of us all.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I call this approach, <b>Hack Yourself First</b>, a concept that can, and must, be used as a means to defend ourselves.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I feel so strongly about this that I built a company, <a href="htttps://www.whitehatsec.com/" target="_blank">WhiteHat Security</a>, around this idea. At WhiteHat, we get paid by companies, who do business online, to hack into them and explain how we did so. And they pay us a lot of money to do this work. On the average website, our team can identify one or more security gaps, usually in under 20 minutes.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">In under 20 minutes we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system -- all the things that could have made headlines like those you’ve probably seen a lot of in recent years. This is actually what they are doing right now back at headquarters. This is the work we do every day.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">These companies pay us to hack them because they know, as we know, that anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. They want to avoid being another headline, another cyber-crime victim. They want to know what the bad guys know, or eventually will, so overlooked problems in their security can be fixed. And all this, so you can remain confident in doing business with them.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">So, Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses, we call them vulnerabilities, and the good guys who find and fix them. Unfortunately, no one is quite sure what group has more people. It would not surprise me if the good guys are outnumbered when it comes to Internet security, as anyone with an Internet connection can become a malicious hacker these days, and earn money doing it.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">What you might find interesting is that many hacking techniques are not sophisticated. There are tricks that really anyone can do. In fact, I’d like to teach one of our tricks right now.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="color: white; font-family: Arial;"><span style="background-color: black; font-size: 20px; line-height: 24px;"><b>*REDACTED* Watch the video! ;)</b></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">See, I’ve now taught the people at TED how to hack. Keep an eye on the people sitting next to you. They’re hackers now!</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I’ve also shown methods to steal or reset someone’s passwords, monitor their email, snap pictures of them with their computer’s built in webcam without their knowledge, siphon money out of their bank account, find out what websites they visit, make it look like they downloaded child pornography, and list goes on. Doing any of this requires only slightly more sophistication than what I just described in many cases. If I had an hour, instead of 15 minutes, I could teach you how these things are also done.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I should mention that firewalls and anti-virus software don’t provide any sort of real protection to any of this. It’s kind of like wearing sunglasses and expecting not to get a sunburn. They’re better than nothing, but far from solving all your problems.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">We all have a vested interest in the Internet and its future.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">A few years ago I recognized that the bulk of not only my professional life, but my personal life as well, was spent in front of a computer.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">One day I wanted to get out and do something else, anything else, for a few hours as long as it wasn’t it front of a computer screen or on a cell phone, which is nothing more than a tiny computer these days. I considered watching TV or a movie, listening or learning music, reading a book, writing a book, research something new, buying something nice for my wife, etc.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">The trouble was these things are typically done on a computer these days. I had to try really hard to think of things that have nothing to do with a computer – something that gets increasingly more difficult each year with technological advancement.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">It occurred to me that the vast majority of my life, and the lives of those around me, are completely tied to pervasive computer use – and an Internet connection. That’s when it really hit me that that my work on Internet security is important to just about everyone. Look around at how many of you here brought your laptops, your iPads, and smart phone, and are right now connected to the Internet. Without the Internet, many of us might not even know when and how to get to our next appointment.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">By the way, are you using the public WiFi? Just curious.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">The Internet has been instrumental in helping overthrow oppressive government regimes. &nbsp;At the same time our leaders, from the US and UK governments, are on the record having reserved the right to retaliate against cyber-attacks with militarily action. Bombing computers and computer hackers is part of the plan. I guess you might call this policy bombs for bits, a policy that should really concern us.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">When you think about it that way, Internet security, computer security may now be more important to you than it was a moment ago. Isn’t it?</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I’d bet that everyone – everyone here, everyone who will be eventually watching this video – at some point has had their computer hacked into and been infected with viruses, had one or more of their online accounts previously taken over, or at the very least knows more than one person who has.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Does anyone here want to claim they’ve never been hacked? If so, please raise your hand, I’d like your email address and we’ll get that sorted out.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Hacking, malicious hacking, cyber-crime, has already touched all of our lives, and does so more often than we are lucky enough to be privy to. These days many experts believe you are more likely to be a victim of cyber-crime than any other crime.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">For you, most of the time getting hacked means a slow running computer, annoying pop-ups, losing some money, your personal information exposed, identify theft, and perhaps some public embarrassment. &nbsp;Bad, but not THAT bad.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">If you are a politician, celebrity, news outlet, or a corporate executive, your position, your access, puts you at even more risk &nbsp;-- including those closest to you – the bad guys will hack their way closer to you, one friend or family member at a time if they have to.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">For businesses and governments, who are also hacked into daily, the damage is often far more severe. Professional cyber-criminals who target them of course are after money, but they also want intellectual property, trade secrets, and military capabilities, which can be worth much more than the contents of any bank account. These things are vital to our economic well-being and national security.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Even more revealing is who they work for and what motivates them. For this I’d like to quote Ian Bremmer, President of Eurasia Group.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><span style="color: #274e13;"><i>“When you have hundreds of western multinational corporations that have seen industrial espionage, that’s been directly targeted at them through cyber attacks, massive unprecedented cyber attacks, that were either directly organized by the Chinese government or were known about and actively tolerated by the Chinese government on behalf of Chinese corporations -- that’s a pretty good description of a war.”</i></span></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">There is a reason why the Chinese fighter jets and rockets look suspiciously familiar to our own.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I don’t mean to single out China, they are certainly not the only ones being called out for engaging in cyber-crime and cyber-espionage. On that list is also France, Russia, Estonia, Romania, Ukraine, etc. There is no solid confirmation, but it wouldn’t surprise me if most countries in the modern world are actively engaging in cyber-offense.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Mr. Bremmer goes onto say...</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><span style="color: #274e13;"><i>“National security is no longer about tanks. National security is increasingly about economic well being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.”</i></span></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">That is exactly right!&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">How can a corporation, even the largest, let alone small businesses and individuals, possibly defend themselves against such an adversary -- literally, armies of well-funded nation-state sponsored hackers. Hackers professionally trained, with no reason to fear our laws, who are equidistant from their victims, that’s US, and operate 24 hours a day, 7 days a week, 365 days a year.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens when it stays up. I’m worried about the long-term economic damage, the loss of our ability to innovate, the inability to take advantage of the opportunities that the Internet provides. Most of all though, I’m concerned what happens if the majority of people, all of you, lose confidence in the system -- the security of the Internet – and either stopping or limiting your use of the Internet.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">New laws against hacking are not going to help this problem. Conventional warfare tactics are not much good either. The perpetrators can be geographically located anywhere, are extremely difficult to identify, prove attribution, track down, even harder extradite, and then finally successfully prosecute. Not to mention foreign governments are highly unlikely to turn over soldiers in their own hacker army.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Having said that, improving international cyber-crime law enforcement is a path necessary to pursue as part of a larger program, but we should be realistic about its limits.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">People ask me all the time, what do we do? How do we secure our computers, our networks? How do we secure the Internet? The reality is a problem as diverse and wide reaching as cyber-crime, and cannot be solved by any one thing, but I’ll tell you this -- protecting the Internet requires a completely new way of thinking. I have an idea, an idea worth sharing. Hack Yourself First. An idea furthered by teaching people to hack, and in a manner of speaking, making hacking legal.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense. Offense can be used to inform defense.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Hacking a system, that doesn’t belong to you, without consent of the owner is against federal law, as it should be. The problem arises when system owners don’t provide consent, which only serves to ward off good samaritans who would have gladly shared what they knew and helped protect their users. The bad guys, the real bad guys, do not care and are not deterred.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">What most don’t realize is that any individual, business, government department and so on can actually invite hackers, to test their systems lawfully, and provide a safe way to share their results. Put simply, allow anyone who wants to, can try and hack in. I realize for many that suggesting such an approach might appear counter intuitive, but what it’s not is unprecedented.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Recently a few forward-looking companies started new programs and did exactly that -- openly welcoming hackers, they use the term “security researchers,” to attack their systems and publicly credit them for their discoveries. It’s almost like crowd-sourcing Internet security. Some are even rewarding those who point out serious security gaps with stacks of cash. The industry calls this Bug Bounty programs.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">The companies offering these programs are far from obscure, these are some of the biggest sites, who have hundreds of millions of users, transacting billions of dollars, and are some of the most visible companies on the Internet. You may have heard of a couple of them.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Google, Microsoft, PayPal, Facebook, Saleforce.com, and Mozilla. All of which have directly felt the pain of nation-state sponsored attacks and/or organized crime. They’ve committed not to sue or press charges against security researchers who find vulnerabilities in their systems and discreetly share the details with them. Collectively they’ve awarded millions of dollars to security researchers and resolved thousands of previously unknown issues that protect us all.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">These companies have stated their programs have proved extremely cost effective, helped them identify and hire security talent, eliminated many negative PR headlines, and improved security for themselves and their customers. Huge wins for everyone. All the warnings detractors gave about why bug bounty programs were bad idea simply failed to materialize.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Unfortunately, Internet security history is littered with counter examples where other companies have responded hostilely to those trying to help. Such as the likes of Daniel Cuthbert, Patrick Webster, and dozens of others. &nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">This reminds me of Rule #1 of recreational hacking:&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Never ever, ever touch government or military systems.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">A rule written well before they mentioned anything about a militaristic response. Anyway, the rule reminds curious hackers that the government, should they choose to track you down, has an enormous budget of time and money to do so – far more than any company who all must eventually consider cost effectiveness investigations. What it also means is that to hackers, the Jedi, government and military systems are like the forbidden fruit.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">So imagine the excitement if our government and military officials truly started to embrace “Hack Yourself First” and offered up bug bounty programs! Let me tell you, every aspiring and well-known hacker out there would jump at the chance to match their skills against the cyber-defenses of whitehouse.gov, fbi.gov, army.mil, and the thousands upon thousands of other systems. The street-cred alone would be worth it to many, but a bonus would be helping to protect their country.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">There is no reason such a strategy could not be adopted by just about anyone. Doing so could end up being the most important long-term economic and national security decision.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">I used to work for Yahoo. <a href="http://jeremiahgrossman.blogspot.com/2007/04/how-i-got-my-start.html" target="_blank">12 years ago I hacked Yahoo Mail</a>. More accurately I hacked into my own Yahoo Mail account, to see if I could do it. Some people have hobbies like artwork, sports, cars -- I hack. I found a way, several ways actually, to get into my inbox without needing a password. I let Yahoo know the details – promptly and privately. In return they gave me a t-shirt. I was pretty excited about that.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">A dialog followed with one of the founders, which later earned me a job -- to hack everything that Yahoo had, before the “real” bad guys did, and my experience there led to a career.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">A company with a different point of view might decided to call their lawyer, or the cops, filed a lawsuit, cost me my job, and the freedom of a 21 year old. In which case, I wouldn’t be been in front of you here today -- teaching you how to hack and the importance of Internet security.</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">Remember, security is optional, but so is survival.&nbsp;</span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: Arial;"><span style="font-size: 20px; line-height: 24px;">It has been said that if you are a playing a game that you can’t afford to lose, then you must change the rules. <b>Hack Yourself First</b>.</span></span></div><div style="font-size: 19px; line-height: 24px;"><span style="font-family: Arial;"><br /></span></div><br /><div><div><div class="msocomtxt" id="_com_11" language="JavaScript"> <!--[if !supportAnnotations]--></div><!--[endif]--></div></div><!--EndFragment--><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com4http://blog.jeremiahgrossman.com/2012/04/written-speech-tedxmaui-hack-yourself.htmltag:blogger.com,1999:blog-13756280.post-12755622950303423482012-01-23T18:52:00.002-08:002012-04-12T16:09:47.048-07:00TEDxMaui -- Hack Yourself First<div class="p1"><div class="separator" style="clear: both; text-align: left;"><a href="https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/405242_10150518950028492_527943491_9102549_377235191_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="212" src="https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/405242_10150518950028492_527943491_9102549_377235191_n.jpg" width="320" /></a><b><span style="color: #274e13;">Update 04.12.2012: <a href="http://www.youtube.com/watch?v=-H2G2tlqSSM&amp;list=PL9FF3146D30EA5372&amp;feature=player_embedded">Video</a> of the presentation embedded below. &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span></b>Ten years ago if you would have told me that I'd be back&nbsp;living in Hawaii, founder of a fast growing technology company, and a TED speaker -- I would've said, "What's a TED?" Preparing for <a href="http://www.tedxmaui.com/">TEDxMaui</a> was extremely difficult. The presentation format is completely different than anything I’ve ever done before. It was limited to just 18 minutes as opposed to 50, and given to an audience of every day people eager to see something amazing, instead of security professionals and high-tech workers. The message had to be crystal clear. Since TEDxMaui videos won’t be published until late February, you’ll have to settle for my substandard textual description for now.</div><div class="separator" style="clear: both; text-align: left;"><br /></div></div><div class="p1"><div style="text-align: left;"><div class="separator" style="clear: both; text-align: left;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/-H2G2tlqSSM?feature=player_embedded' frameborder='0' /></div><br /></div></div><div class="p1">I wanted everyone, both the viewers in the audience and those who would eventually watch the video, to deeply appreciate the crucial importance of Internet security. I want everyone to know that to discuss Internet security is really to discuss our economic well-being and our national security, and I want everyone to know that both are under attack -- every single day. Most of all I wanted everyone to know that hacking, and people learning how to hack, is absolutely essential to defend ourselves. I labelled this concept <b>Hack Yourself First</b>, the title of the presentation. <b>Hack Yourself First </b>advocates<b> </b>building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.</div><div class="p1"><br /></div><div class="p1">Before presenting <b>Hack Yourself First</b> I had to first imagine how the audience would respond. Most watching undoubtedly have only had negative experiences with the words “hacking” and “hackers.” All they likely knew of hacking is in relation to viruses infecting their computers, stealing money out of (their) bank accounts, TV interviews of shadowy characters wearing Guy Fawkes masks, salacious articles featuring cyber villains, and of course bad hollywood movies. Whether we like it or not, these are the ambassadors of hacking, so the idea of teaching cyber-offense skills might be considered akin to illegal activity. Just the same, there I was on stage revealing that, “Yes, I am a hacker -- but not like them.”&nbsp;</div><div class="p1"><br /><a href="http://a.yfrog.com/img864/9384/hak.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="210" src="http://a.yfrog.com/img864/9384/hak.png" width="320" /></a></div><div class="p1"><br />I don’t know what precisely it was that I said, but the message of <b>Hack Yourself First</b> undoubtedly resonated in a big way. No less than a hundred people introduced themselves to me afterwards excitedly asking, “How do I learn to hack myself first?” Perhaps I shouldn’t have been, but I was blown away. And not just the very young or student age, I’m talking about people 45 up to 70 years old with zero technology background. Maybe it was because I taught them a simple hacking trick, a simple hacking trick they could grasp, and even do, like those from my “<a href="http://www.youtube.com/watch?v=SIMF8bp5-qg">Get Rich or Die Trying</a>” presentation. Suddenly the fascinating subject of hacking, which they previously assumed was too complicated to learn, was suddenly approachable. I taught a TED audience how to hack! How cool is that!? :)</div><div class="p1"><br /></div><div class="p1">Many in the information security industry have been trying desperately and in vain to raise Internet security awareness among the masses. We repeatedly give people laundry lists of what not to do, and it isn’t helping. Better awareness, better overall Internet security, could be accomplished through <b>Hack Yourself First</b>. Teach anyone and everyone who wants to learn how to do the actual attacks the bad guys use against them, perhaps packaged up in a Capture-the-Flag format.&nbsp; That would be a lot of fun for everyone. When people know precisely how hacking works, they’ll be in a better position to spot attacks against them and be on their guard.</div><div class="p1"><br /></div><div class="p1">I came to TEDxMaui to share my ideas with a wider audience, but what I came away with was more ideas from them about where we can take <b>Hack Yourself First.</b>&nbsp;</div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com17http://blog.jeremiahgrossman.com/2012/01/tedxmaui-hack-yourself-first.htmltag:blogger.com,1999:blog-13756280.post-52229759630388142972011-12-29T13:42:00.000-08:002012-01-19T09:40:09.132-08:00TerrifiedOver my career I’ve given exactly 295 public presentations, to audiences as small as a table full and up to many thousands. Audience members have said countless times that they really enjoy my speeches. Conference organizers always invite me back, and my feedback scores are always amongst the highest. These are accomplishments I’m proud of and a level of success only achieved with the help of a lot of dedicated people. You might think that after all this experience that I’m extremely comfortable on stage. The reality is that you’d be wrong, <u>very wrong</u>. What most don’t know is that each and every time I’ve present, to this day, I suffer from extreme anxiety, commonly known as stage fright. In my case, terrified would be a more accurate description.<br /><br />I’ve been known to physically shake, have shortness of breath and a strained voice, speak far too quickly, be statuesque on stage almost like I’m hiding, and feel just overall completely stressed out. Early on I decided that no matter how terrified I was, my message needed to get out there, and it was more important than letting fear stop me. I think my #1 skill as a public speaker is hiding my fear, my terror. My theory was the more experience I gained the faster I’d overcome it. In the meantime in order to cope I developed a pre-presentation ritual.<br /><br />I’d prepare heavily for each event, pour over the content in every slide, and seek candid feedback from those I trusted. I’d also commonly ask event organizer for details on audience demographics to specifically tailor my comments. I’d then practice ahead of time for small private groups in order to get the timing and flow down. If something or all of it sucked, I’d throw it out. With the assistance of my wife, I’d even get a plan down for precisely what I was going to wear during at show day. Nothing was left to chance. Finally, I block out an hour before each presentation to check out the stage, be alone with time to center, prepare and calm myself down, and of course continue tweaking slides. Being prepared helped take the edge off my anxiety a lot.<br /><br />The problem was, or is, that no matter how many times I presented, the anxiety, the fear, and terror never really lessened. That is until this last year. Something changed, but what!? Had I finally overcome? I’m not an introspective person so it wasn’t until very recently that I think I figured it out. In 2011 my public presentations weren’t pushing the envelope as much as in years past. The content was good to be sure, but it also focused on “safe” business level subjects and incrementally advancing work from previous years. In short, I really wasn’t putting myself out there as far as I’m used to. In my case, the feeling or fear and terror arises when pushing forth an idea or a concept and unsure if people will think its uncompelling or totally idiotic. A chance you take.<br /><br />That’s about when I got a call from the TED offering a speaking slot in <a href="http://tedxmaui.com/">TEDxMaui</a>. We got to talking about my work and discussing an idea worth spreading. It didn’t take long. Then all of a sudden I’m thrust right back into fear and terror mode, but now that I understand it, the feeling is almost comforting. It signals that I have an opportunity to take things in my industry, in our industry, to a new level --- or of course drive right off a cliff. Either way it’ll be a good show! &nbsp;:)<div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com16http://blog.jeremiahgrossman.com/2011/12/terrified.htmltag:blogger.com,1999:blog-13756280.post-75382636521234573492011-06-21T16:28:00.000-07:002011-06-21T16:29:45.935-07:00How I got my start -- in Brazilian Jiu-JitsuI’ve been a UFC fan for years, even before it was acquired by Zuffa. I was fascinated by the anything goes, hand-to-hand form of combat. I suppose it reminded me of growing up in Hawaii. :) The UFC was also enjoyable because it helped answer the question, “What martial-art or fighting style was most effective?” Karate? Kickboxing? Boxing? Wrestling? Ninjutsu? What matters more, size or technique?<br /><br />The UFC provided a forum, the octagon, to settle the long-standing fight-world debate. Everyone had a theory, but no one really knew for sure. What became crystal clear even today is that every fighter must have a background in Brazilian Jiu-Jitsu or they WILL lose. It’s just that simple. My background was mostly striking, so I wanted to try out this ground fighting stuff.<br /><br />A co-worker, also interested in the UFC, and I found a <a href="http://cbjj.net/">local BJJ academy in San Jose taught by black belt instructor Tom Cissero</a>. Tom has a passion for the martial arts and, more importantly, for his students, as he deeply feels that they are a direct reflection upon his life and value as a person. Yes, he takes his craft that seriously, and serious he is. Tom is abrasive, aggressive, and combative, attributes covering up a heart of gold. In the academy Tom will push you hard, harder than any place else, to make you good. Whether you like it or not, and he cares enough to do so. That’s why I stayed with him the better part of a decade.<br /><br />Anyway, my 6’2” - 300lbs, and let’s face it, seriously fat and way out of shape frame walks in -- admittedly with a little bit of big man ego. I see Tom instantly trying to size me up. Of course he had me figured out in all of 5 seconds as you’ll read in a moment. After signing the waver, doing some drills, and learning a couple of submissions I began to familiarize myself with the basic rules and gym etiquette. Then came sparring time. Tom loves the sparring sessions more than anything else. Probably because it measures your progress in stamina and skill.<br /><br />Tom pairs me up with, and I kid you not, a 150 lbs or less woman in her mid 40’s and says let’s see what you can do. She’s a purple belt with several years of BJJ experience, but I’m thinking to myself WTF!? She’s half my size! I’m going to squash her! Then of course the whole situation is running counter to my internal man moral code, never fight girls. Not being given a choice, but also not wanting to be disrespectful, I decided to go really easy as I didn’t want to hurt her or anything.<br /><br />The bells sounds, I come slowly forward towards her, she quickly closes the distance, spider monkeys to my back, chokes me, and forces me to tap out inside of 10 seconds flat. I was shocked and a little upset. Here I am going light and she takes advantage of me. Clearly she’s not playing around. To hell with this, no way I’m going to let that happen again! No more Nr. Nice Guy.<br /><br />We touch hands, signaling to begin again, but I go harder this time trying to put her back on the mat. She again somehow sneaks around under my arm, like an octopus, and chokes me with the same damn move! To my credit, I lasted a few more seconds that time. This scenario repeats for about 4 to 5 minutes in the session, and for the life of me, as big strong guy, I could not keep this tiny older woman off my back and robbing the oxygen from my brain. Oh, and all the while she is speaking to me in a calm instructive voice. Humiliation is the best word to describe.<br /><br />At the end of class I’m thinking to myself, there is something to this Brazilian Jiu-Jitsu stuff. However, that wasn’t the most important thing to me at that particular moment. There was no way I could go on about my life happily knowing that a such a women could kick my butt so easily. Call it machoism if you like, I don’t care. It was clear to me that I had to keep training BJJ at least long enough to beat her. It only took three years. Fortunately for me by that time the motivation to simply get better and enjoy myself became my primary driver.<br /><br />By the way, that woman is still training there. So if you are a big guy, and plan to drop by for a visit, don’t say I didn’t warn you. You could quickly find yourself on a journey to becoming a BJJ black belt.<div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com11http://blog.jeremiahgrossman.com/2011/06/how-i-got-my-start-in-brazilian-jiu.htmltag:blogger.com,1999:blog-13756280.post-6010384153494805192011-05-16T10:41:00.000-07:002011-05-16T11:00:08.724-07:00Web security content moving to new WhiteHat Security corp blogMany of you have noticed I haven’t been blogging in several weeks. The truth is I have been blogging, just not here! For those that missed the announcement, <a href="https://www.whitehatsec.com/">WhiteHat Security</a> recently launched a <a href="https://blog.whitehatsec.com/">new corporate blog</a>, featuring over a half dozen other WhiteHat bloggers in addition to myself. To support and intermingle with other exceptionally solid posts, I’ve been directing my Web security content over there. If you review the archives you'll find cool stuff on <a href="https://blog.whitehatsec.com/whitehat-security%E2%80%99s-approach-to-detecting-cross-site-request-forgery-csrf/">scaling CSRF identification</a>, <a href="https://blog.whitehatsec.com/its-a-dom-event/">DOM-based XSS</a>, <a href="https://blog.whitehatsec.com/flash-307-redirect-game-over/">Bypassing CSRF tokens with a Flash 0-day</a>, etc.<br /><br />Here are some of my most recent posts that you may have missed:<br /><ul><li><a href="https://blog.whitehatsec.com/mythbusting-static-analysis-software-testing-100-code-coverage/">Mythbusting: Static Analysis Software Testing – 100% Code Coverage</a></li><li><a href="https://blog.whitehatsec.com/security-as-a-differentiator/">PROTIP: Security as a Differentiator</a></li><li><a href="https://blog.whitehatsec.com/the-security-scoreboard/">PROTIP: Publish Security Scoreboards Internally</a></li><li><a href="https://blog.whitehatsec.com/mythbusting-static-analysis-software-testing-100-code-coverage/">Recent SQL Injection Hacks – Things You Should Know</a></li><li><a href="https://blog.whitehatsec.com/if-you-want-to-improve-something-measure-it/">If You Want to Improve Something, Measure It</a></li><li><a href="https://blog.whitehatsec.com/an-incident-is-a-terrible-thing-to-waste-even-those-of-others/">An Incident Is a Terrible Thing to Waste (even those of others)</a></li><li><a href="https://blog.whitehatsec.com/cya-cover-your-applications/">(CYA) Cover Your Applications – All of Them</a></li><li><a href="https://blog.whitehatsec.com/the-cost-of-non-compliance/">The Necessity of Compliance Alone Is Insufficient for Justifying Security Investment</a></li><li><a href="https://blog.whitehatsec.com/theory-google-will-open-source-their-web-server-or-should/">Theory: Google will open source their Web server — or should</a></li><li><a href="https://blog.whitehatsec.com/are-20-of-developers-responsible-for-80-of-the-vulnerabilities/">Are 20% of developers responsible for 80% of the vulnerabilities?</a></li></ul>See! I have been blogging. :) Consider updating your <a href="http://feeds.feedburner.com/WhitehatSecurityBlog">RSS feeds</a>.<br /><br />I'll continue posting here, only at a much lower volume, and exclusively about personal things like my adventures in Brazilian Jiu-Jitsu.<div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com4http://blog.jeremiahgrossman.com/2011/05/web-security-content-moving-to-new.htmltag:blogger.com,1999:blog-13756280.post-9949556203628963082011-03-15T17:28:00.001-07:002011-03-15T17:44:35.617-07:00Sentinel SecurityCheckHave you been hearing about <a href="http://www.whitehatsec.com/home/services/services.html">WhiteHat Sentinel</a> for a while, but never had the opportunity to try out the service for yourself? We'd like to change that and make Sentinel accessible to more people. We've recently announced a new promotion, for those who are interested and qualify, to receive the full customer experience for 30 days -- for FREE. This is way more than just finding vulnerabilities. If you like it, great sign-up! If not, which is extremely rare, you owe nothing. Follow the link below for additional details.<span style="font-weight: bold;"></span><span style="font-weight: bold; color: rgb(0, 102, 0);"><br /><br /><a style="color: rgb(0, 102, 0);" href="http://whitehatsec.com/home/news/11pressarchives/PR_031511securitycheck.html">WhiteHat Security Announces No Cost Website Vulnerability Assessment Program</a></span><span style="color: rgb(0, 102, 0);"><br />Sentinel SecurityCheck offers organizations 30 days of continuous assessment to identify all website vulnerabilities and mitigate leading risk for data breaches; Participating companies gain access to WhiteHat Security's verified vulnerability results and personalized guidance on website risk management</span><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com4http://blog.jeremiahgrossman.com/2011/03/sentinel-securitycheck.htmltag:blogger.com,1999:blog-13756280.post-11948282940612349382011-03-11T11:07:00.000-08:002011-03-11T13:37:45.439-08:0011th WhiteHat Website Security Statistic Report: Windows of Exposure<a style="color: rgb(0, 102, 0); font-style: italic;" href="http://www.whitehatsec.com/home/resource/stats.html">WhiteHat Security's 11th Website Security Statistics Report</a><span style="color: rgb(0, 102, 0); font-style: italic;">, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under </span><a style="color: rgb(0, 102, 0); font-style: italic;" href="http://www.whitehatsec.com/home/services/services.html">WhiteHat Sentinel</a><span style="color: rgb(0, 102, 0); font-style: italic;"> management. This represents the largest, most complete, and unique dataset of its kind. WhiteHat Security makes this report available specifically for organizations that aim to start or significantly improve their website security programs, prevent breaches, and data loss.</span><br /><br /><span style="font-weight: bold;"> Top 3 Key Findings (Full list available in the report) </span><br /><ul><li>Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.</li><li> During 2010, the average website had 230 serious* vulnerabilities. </li><li> In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.</li></ul><br /><a href="http://3.bp.blogspot.com/-LeXW4oJIPQI/TXqVsEp-88I/AAAAAAAAB5Y/ZxmGg6S7CD4/s1600/windowsofexposure.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 409px; height: 279px;" src="http://3.bp.blogspot.com/-LeXW4oJIPQI/TXqVsEp-88I/AAAAAAAAB5Y/ZxmGg6S7CD4/s400/windowsofexposure.png" alt="" id="BLOGGER_PHOTO_ID_5582939272475767746" border="0" /></a>Window of Exposure is an organizational key performance indicator that measures the number of days a website has at least one serious vulnerability over a given period of time.<br /><br /><a style="font-weight: bold;" href="http://www.whitehatsec.com/home/resource/stats.html">Download the Full Report</a>...<div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com0http://blog.jeremiahgrossman.com/2011/03/11th-whitehat-website-security.htmltag:blogger.com,1999:blog-13756280.post-31797069179719064282011-03-10T10:33:00.000-08:002011-03-10T10:50:07.038-08:00Robert “RSnake” Hansen, age 34, has passed away, on FacebookFacebook encourages people to keep up with friends and family through those familiar little website reminders notices. In some cases the person suggested in the reminder has passed away, which would explain the account inactivity, and this might obviously be taken as offensive and emotionally distressing. Facebook recognizes this and offers a process where they allow accounts to be “<a href="http://www.facebook.com/blog.php?post=163091042130">Memorialized</a>” on the recommendation of a “friend” by filling out the appropriate form.<div style="text-align: center;"><span><span><br /></span></span></div><div style="color: rgb(0, 102, 0);"><span><span><span class="Apple-style-span"><i>“When a user passes away, we memorialize their account to protect their privacy. Memorializing an account sets the account privacy so that only confirmed friends can see the profile or locate it in search. The Wall remains, so friends and family can leave posts in remembrance. Memorializing an account also prevents anyone from logging into the account.”</i></span></span></span></div><div><span><span><span class="Apple-style-span"><br /></span></span></span></div><div><span><span>As many readers might recall, a couple months ago Robert “RSnake” Hansen, best known for his contributions to Web security, <a href="http://ha.ckers.org/blog/20101201/and-beyond/">bid his farewell in a final 1,000th blog post</a>. Since RSnake has departed “the scene,” he is effectively dead in an online sense. As such some felt it only fitting that his Facebook persona follow a similar path and shake off its digital coil. To get RSnake’s page memorialized all that was required was finding a person who shared the same name, who had a recent obituary published somewhere online, lived in roughly the same area, and then fill out the necessary form. Not to long after...<br /><br /></span></span><a href="http://2.bp.blogspot.com/-BrFtGe2C2-s/TXkdTnMsKQI/AAAAAAAAB5Q/GJUbCMJS87U/s1600/rsnakedead.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 250px;" src="http://2.bp.blogspot.com/-BrFtGe2C2-s/TXkdTnMsKQI/AAAAAAAAB5Q/GJUbCMJS87U/s400/rsnakedead.png" alt="" id="BLOGGER_PHOTO_ID_5582525435879368962" border="0" /></a><br /></div><div><span><span>If you are a Facebook friend of RSnake, you may still pay your last respects to him on his wall. Rest assured that while he can no longer reply himself, he is indeed smiling (or LHAO) down on us all from above.</span></span><p class="p1"><span class="s1"><br /></span></p></div><div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com3http://blog.jeremiahgrossman.com/2011/03/robert-rsnake-hansen-age-34-has-passed.htmltag:blogger.com,1999:blog-13756280.post-73613776821592832562011-02-21T10:32:00.000-08:002012-02-14T08:52:10.651-08:00Top Ten Web Hacking Techniques of 2011<b>Update 02.14.2011</b>: <a href="https://blog.whitehatsec.com/vote-now-top-ten-web-hacking-techniques-of-2011/">Open voting for the final 15 is now underway. Vote Now</a>!<br /><br /><br />This post will serve to collect new attack techniques as they are published. If you think something should be added, please comment below and I'll add them.<br /><br /><span style="color: #006600; font-style: italic;">"Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work."</span><br /><br /><span style="font-weight: bold;">Current 2011 List</span><br /><ol><li><a href="http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/">Bypassing Flash’s local-with-filesystem Sandbox</a></li><li><a href="https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information">Abusing HTTP Status Codes to Expose Private Information</a></li><li><a href="http://andrewmcafee.org/2011/02/mcafee-apple-itunes-privacy-hole-violation/">SpyTunes: Find out what iTunes music someone else has</a></li><li><a href="http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html">CSRF: Flash + 307 redirect = Game Over</a></li><li><a href="http://tinyurl.com/5w6koqj">Close encounters of the third kind (client-side JavaScript vulnerabilities)</a></li><li><a href="http://elie.im/blog/security/tracking-users-that-block-cookies-with-a-http-redirect/">Tracking users that block cookies with a HTTP redirect</a></li><li><a href="http://elie.im/publication/the-failure-of-noise-based-non-continuous-audio-captchas">The Failure of Noise-Based Non-Continuous Audio Captchas</a></li><li><a href="http://yifan.lu/2011/12/10/kindle-touch-5-0-jailbreakroot-and-ssh/">Kindle Touch (5.0) Jailbreak/Root and SSH</a></li><li><a href="http://www.thespanner.co.uk/2011/12/05/nulls-in-entities-in-firefox/">NULLs in entities in Firefox</a></li><li><a href="http://www.schemehostport.com/2011/12/timing-attacks-on-css-shaders.html">Timing Attacks on CSS Shaders</a></li><li><a href="http://shreeraj.blogspot.com/2011/11/csrf-with-json-leveraging-xhr-and-cors_28.html">CSRF with JSON – leveraging XHR and CORS </a></li><li><a href="http://shreeraj.blogspot.com/2011/12/double-eval-for-dom-based-xss.html">Double eval() for DOM based XSS</a></li><li><a href="http://kyleosborn.org/2011/10/09/the-hidden-xss-attacking-the-desktop-mobile-platforms-slides-video/">Hidden XSS Attacking the Desktop &amp; Mobile Platforms</a></li><li><a href="http://lcamtuf.coredump.cx/cachetime/">Rapid history extraction through non-destructive cache timing (v8)</a></li><li><a href="http://aboulton.blogspot.com/2011/11/new-type-of-vulnerability-lotus-notes.html">Lotus Notes Formula Injection </a></li><li><a href="http://blog.kotowicz.net/2011/10/stripping-referrer-for-fun-and-profit.html">Stripping Referrer for fun and profit</a></li><li><a href="http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html">How to upload arbitrary file contents cross-domain</a> (<a href="http://blog.kotowicz.net/2011/05/cross-domain-arbitrary-file-upload.html">2</a>)</li><li><a href="http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html">Exploiting the unexploitable XSS with clickjacking</a></li><li><a href="http://blog.kotowicz.net/2011/01/how-to-get-sql-query-contents-from-sql.html">How to get SQL query contents from SQL injection flaw</a></li><li><a href="http://blog.kotowicz.net/2011/01/xss-track-as-html5-websockets-traffic.html">XSS-Track as a HTML5 WebSockets traffic sniffer</a></li><li><a href="http://blog.kotowicz.net/2011/07/cross-domain-content-extraction-with.html">Cross domain content extraction with fake captcha</a></li><li><a href="http://blog.mindedsecurity.com/2011/10/autocompleteagain.html">Autocomplete..again?! </a></li><li><a href="http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html">JSON-based XSS exploitation</a></li><li><a href="http://blog.watchfire.com/wfblog/2011/10/dns-poisoning-via-port-exhaustion.html">DNS poisoning via Port Exhaustion</a></li><li><a href="https://nealpoole.com/blog/2011/10/java-applet-same-origin-policy-bypass-via-http-redirect/">Java Applet Same-Origin Policy Bypass via HTTP Redirect</a></li><li><a href="http://www.feross.org/webcam-spy/">HOW TO: Spy on the Webcams of Your Website Visitors</a></li><li><a href="http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html">Launch any file path from web page </a></li><li><a href="http://nakedsecurity.sophos.com/2011/09/07/crowd-sourcing-mischief-on-google-maps-leads-customers-astray/">Crowd-sourcing mischief on Google Maps leads customers astray</a></li><li><a href="http://vnhacker.blogspot.com/2011/09/beast.html">BEAST</a></li><li><a href="http://blog.securitee.org/?p=37">Bypassing Chrome’s Anti-XSS filter</a></li><li><a href="https://superevr.com/blog/2011/xss-in-skype-for-ios/">XSS in Skype for iOS</a></li><li><a href="http://sites.google.com/site/tentacoloviola/">Cookiejacking</a></li><li><a href="http://pauldotcom.com/2011/05/stealth-cookie-stealing-new-xs.html">Stealth Cookie Stealing (new XSS technique)</a></li><li><a href="http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/">SurveyMonkey: IP Spoofing</a></li><li><a href="http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html">Using Cross-domain images in WebGL and Chrome 13</a></li><li><a href="http://blog.kotowicz.net/2011/04/how-to-make-file-server-from-your.html">Filejacking: How to make a file server from your browser (with HTML5 of course)</a></li><li><a href="http://amolnaik4.blogspot.com/2011/03/exploitation-of-self-only-cross-site.html">Exploitation of “Self-Only” Cross-Site Scripting in Google Code</a></li><li><a href="https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit?hl=en_US&amp;pli=1">Expression Language Injection</a></li><li><a href="http://code.google.com/p/dominator/">(DOMinator) Finding DOMXSS with dynamic taint propagation</a></li><li><a href="http://jeremiahgrossman.blogspot.com/2011/03/robert-rsnake-hansen-age-34-has-passed.html">Facebook: Memorializing a User</a></li><li><a href="https://blog.whitehatsec.com/how-to-own-every-user-on-a-social-networking-site/">How To Own Every User On A Social Networking Site</a></li><li><a href="http://elie.im/publication/text-based-captcha-strengths-and-weaknesses">Text-based CAPTCHA Strengths and Weaknesses</a></li><li><a href="http://code.google.com/p/puzzlemall/downloads/list">Session Puzzling</a> (aka Session Variable Overloading) Video <a href="http://www.youtube.com/watch?v=HeP54b52IeQ">1</a>, <a href="http://www.youtube.com/watch?v=iTcOooHbgog">2</a>, <a href="http://www.youtube.com/watch?v=ikIyInm0wAg">3</a>, <a href="http://www.youtube.com/watch?v=-DackF8HsIE">4</a></li><li><a href="http://www.youtube.com/watch?v=woWECWwrsSk">Temporal Session Race Conditions</a> Video <a href="http://www.youtube.com/watch?v=3k_eJ1bcCro">2</a></li><li><a href="https://media.blackhat.com/bh-us-11/Johansen/BH_US_11_JohnasenOsborn_Hacking_Google_WP.pdf">Google Chrome/ChromeOS sandbox side step via owning extensions </a></li><li><a href="http://dsecrg.blogspot.com/2011/12/excel-formula-injection-in-google-docs.html">Excel formula injection in Google Docs </a></li><li><a href="http://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/">Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)</a></li><li><a href="http://gursevkalra.blogspot.com/2011/11/captcha-hax-with-tessercap.html">CAPTCHA Hax With TesserCap </a></li><li><a href="https://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/">Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java</a></li><li><a href="http://polyboy.net/docs/2011_DIMVA_Flash_crossdomain_proxies.pdf">Abusing Flash-Proxies for client-side cross-domain HTTP requests</a> [<a href="http://polyboy.net/docs/Talks/2011_Bitingthehandthatservesyou_DIMVA.pdf">slides</a>]<br /></li></ol><span style="font-weight: bold;"><br />Previous Winners</span><br /><a href="http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html">2010</a> - 'Padding Oracle' Crypto Attack<br /><a href="http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html">2009</a> - Creating a rogue CA certificate<br /><a href="http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html">2008</a> - GIFAR<br /><a href="http://jeremiahgrossman.blogspot.com/2008/01/top-ten-web-hacks-of-2007-official.html">2007</a> - XSS Vulnerabilities in Common Shockwave Flash Files<br /><a href="http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html">2006</a> - Web Browser Intranet Hacking / Port Scanning<div class="blogger-post-footer"><br /><br /><hr />
Hack Yourself First: <a href="https://www.jeremiahgrossman.com/">Jeremiah Grossman</a>
<br /><hr /></div>Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.com41http://blog.jeremiahgrossman.com/2011/02/top-ten-web-hacking-techniques-of-2011.html